SAP Security Notes

Read our latest SAP security bulletins to patch vulnerabilities in your SAP systems and stay ahead of emerging threats.

EXECUTIVE SUMMARY

SAP Vulnerability Research & Advisories

Our Threat Intelligence team provides continuous monitoring and expert analysis of the latest SAP Security Notes and vulnerabilities. This repository serves as a critical resource for SAP Basis and Security teams to identify, prioritize, and remediate flaws in S/4HANA, ECC, and other SAP solutions. By delivering structured advisories on security notes and high-priority patches, we help organizations reduce their mean-time-to-remediation (MTTR) and protect mission-critical SAP solutions from exploitation.

Recent Security Bulletins

Search

SAP Security Notes July 2024: Key Vulnerabilities & Patches

SAP’s July 2024 security notes address several critical vulnerabilities, led by a high-risk missing authentication check in SAP S/4HANA. Also included are patches for a password misuse flaw in SAP Commerce, an information disclosure bug in SAP NetWeaver, and multiple cross-site scripting vulnerabilities. Executive Summary The July 2024 SAP Security Patch Day features several important

Read this Advisory

SAP Security Notes June 2024: High-Priority Fixes for AS Java and S/4HANA

SAP’s June 2024 Patch Day addresses several key vulnerabilities, including a high-priority denial of service issue in NetWeaver AS Java and privilege escalation flaws in S/4HANA and BW/4HANA. Organizations should prioritize applying these patches to mitigate risks of system downtime, data exposure, and unauthorized access. This summary covers the most significant security notes released on

Read this Advisory

SAP Security Notes May 2024: Analysis of Critical Patches

SAP’s May 2024 security update addresses several critical and high-risk vulnerabilities, led by a “Hot news” note for a file upload flaw in SAP NetWeaver. Other significant patches include fixes for remote code execution in SAP CX Commerce and multiple cross-site scripting (XSS) vulnerabilities in BusinessObjects and NetWeaver ABAP. The May 2024 SAP Security Notes

Read this Advisory

SAP Security Notes April 2024: Key Vulnerabilities and Patches

SAP’s April 2024 Security Patch Day addressed 10 new security notes, including three high-priority vulnerabilities. The most critical note, 3434839, tackles a security misconfiguration in SAP NetWeaver AS Java that could allow for weak passwords. Other significant patches address an information disclosure flaw in SAP BusinessObjects and a directory traversal vulnerability in SAP Asset Accounting.

Read this Advisory

SAP Security Notes March 2024: AEO Optimized Summary

SAP’s March 2024 security updates addressed several critical and high-priority vulnerabilities requiring attention from administrators. The patches included two “Hot News” notes for code injection flaws in SAP Build Apps and SAP NetWeaver AS Java, alongside high-priority fixes for path traversal in BusinessObjects, Denial-of-Service in HANA XS, and an authentication flaw in SAP Commerce Cloud.

Read this Advisory

SAP Security Advisory: Summary of Critical Notes for February 2024

SAP’s February 2024 Security Patch Day addressed several critical and high-priority vulnerabilities across its product landscape, including a Hot News note for a code injection flaw. Key patches were released for SAP Application Basis (ABA), NetWeaver Application Server (AS) Java, SAP Cloud Connector, and SAP CRM. Administrators should prioritize the immediate application of these security

Read this Advisory

SAP Security Notes January 2024: Critical Vulnerabilities and Patches

The SAP Security Notes for January 2024 addressed several critical vulnerabilities, including two “Hot News” privilege escalation flaws in SAP Business Application Studio and Edge Integration Cell. A high-priority Denial of Service vulnerability in SAP NetWeaver’s ICM and a code injection flaw in the Application Interface Framework were also patched. This summary covers the key

Read this Advisory

SAP Security Advisory: Critical Patches for December 2023

SAP’s December 2023 security update includes critical patches for an OS command injection vulnerability in SAP S/4HANA and ECC, and high-risk vulnerabilities in the SAP Business Technology Platform (BTP). Organizations should prioritize the review and application of these notes to mitigate significant security risks. This advisory summarizes the key vulnerabilities and the required actions for

Read this Advisory

SAP Security Notes, October 2023

Hot news note 3340576 patches a critical missing authorization check in the SAP Common Cryptographic Library (CommonCryptoLib) that could enable attackers to escalate privileges. CommonCryptoLib is installed in multiple SAP products including SAP NetWeaver AS ABAP, SAP NetWeaver AS Java and ABAP Platform of S/4HANA on-premise, as well as SAP HANA Database, SAP Web Dispatcher,

Read this Advisory

SAP Security Notes, September 2023

Hot news notes 3245526 and 3320355 patch critical code injection and information disclosure vulnerabilities in SAP BusinessObjects Intelligence Platform (BOBJ). Note 3245526 was re-released in September with updated support package and patch level details. The note patches a command injection vulnerability that can be exploited to escalate privileges in the platform. The vulnerability impacts the

Read this Advisory

SAP Security Notes, August 2023

Hot news note 3341460 patches multiple critical vulnerabilities in the data modelling and management solution SAP PowerDesigner. This includes an access control vulnerability for CVE-2023-37483 that has a CVSS score of 9.8/10. The vulnerability can be exploited by attackers to execute arbitrary queries against back-end databases via proxies. It also includes an information disclosure vulnerability

Read this Advisory