Read our latest SAP security bulletins to patch vulnerabilities in your SAP systems and stay ahead of emerging threats.
Our Threat Intelligence team provides continuous monitoring and expert analysis of the latest SAP Security Notes and vulnerabilities. This repository serves as a critical resource for SAP Basis and Security teams to identify, prioritize, and remediate flaws in S/4HANA, ECC, and other SAP solutions. By delivering structured advisories on security notes and high-priority patches, we help organizations reduce their mean-time-to-remediation (MTTR) and protect mission-critical SAP solutions from exploitation.
A critical “Hot News” SAP security note headlines the June 2025 patch release, addressing a privilege escalation vulnerability in SAP NetWeaver Application Server ABAP (AS ABAP). Organizations should prioritize applying this patch, note 3600840, alongside other high-risk updates for SAP GRC, BW, MDM, and BusinessObjects. The June 2025 SAP Security Patch Day delivers crucial fixes
SAP’s May 2025 security advisories feature a critical zero-day vulnerability in SAP NetWeaver AS Java, alongside high-priority patches for S/4HANA and SAP Supplier Relationship Management (SRM). The most urgent update, hot news note 3594142, addresses a missing authorization check that is under active exploitation. This month’s security notes require immediate attention from administrators to mitigate
SAP’s 24-month rule dictates that corrective fixes for many vulnerabilities are only provided for support packages released within the last two years. This policy primarily affects security notes for issues discovered internally by SAP and means that systems running on older support packages will not receive these specific patches, requiring a full upgrade instead. Regular
SAP’s April 2025 security update addresses several critical and high-risk vulnerabilities, led by a command injection flaw in S/4HANA that could allow full system compromise. Other significant patches fix an authentication bypass in SAP Financial Consolidation and two information disclosure vulnerabilities in SAP BusinessObjects and NetWeaver AS ABAP. This month’s security notes require immediate attention
SAP’s security notes for March 2025 address several high-priority vulnerabilities across its product landscape. The patches include a high-risk missing authorization check in SAP NetWeaver AS ABAP, a Cross-Site Scripting (XSS) flaw in SAP Commerce, an authentication bypass in SAP Approuter, and multiple issues in SAP Commerce Cloud stemming from a vulnerable version of Apache
SAP’s February 2025 Security Patch Day addressed several high-priority vulnerabilities across its product portfolio. The updates include patches for a high-risk cross-site scripting (XSS) flaw in SAP NetWeaver AS Java, an information disclosure vulnerability in SAP BusinessObjects, a path traversal issue in SAP Supplier Relationship Management, and an open redirect vulnerability in SAP HANA. The
SAP’s January 2025 security notes address several critical and high-risk vulnerabilities, most notably in SAP NetWeaver Application Server ABAP (AS ABAP). The release includes a critical 9.9 CVSS score patch for an authentication flaw that could allow credential theft and a separate high-risk patch for information disclosure due to a testing utility left in the
SAP’s December 2024 security notes address several high-risk vulnerabilities, including a Hot News note for Adobe Document Services (ADS) in AS Java. This critical patch tackles multiple flaws, such as Server-Side Request Forgery (SSRF) and information disclosure, for which SAP has provided no workarounds, urging immediate updates. This month’s security advisory outlines critical and high-risk
SAP’s November 2024 Security Notes address several high-priority vulnerabilities. The most critical is a Cross-Site Scripting (XSS) flaw in the SAP Web Dispatcher that allows for full compromise. Other key patches fix privilege escalation issues in SAP PDCE and SAP Host Agent, and authorization problems in NetWeaver AS Java. This advisory summarizes the key vulnerabilities
The October 2024 SAP Security Notes feature a critical update for a missing authentication check in SAP BusinessObjects (BOBJ) that can compromise SSO tickets. Other high-risk notes address a file upload vulnerability in BOBJ, open-source library issues in SAP Enterprise Project Connection, and information disclosure in NetWeaver. SAP’s October 2024 security update is led by
SAP’s September 2024 security update addresses several key vulnerabilities, including a high-priority information disclosure flaw in SAP Commerce Cloud that could expose Personally Identifiable Information (PII). The patches also fix multiple Cross-Site Scripting (XSS) and authorization vulnerabilities across SAP NetWeaver, CRM, and Enterprise Portal, requiring immediate attention from administrators. This advisory summarizes the most significant
SAP’s August 2024 security advisories address several critical vulnerabilities, including a Server-Side Request Forgery (SSRF) in SAP Build Apps and a missing authentication check in SAP BusinessObjects Business Intelligence Platform (BOBJ). These high-priority patches require immediate attention to prevent potential system compromise and data leakage. The August 2024 SAP Patch Day released fixes for multiple