Read our latest SAP security bulletins to patch vulnerabilities in your SAP systems and stay ahead of emerging threats.
Our Threat Intelligence team provides continuous monitoring and expert analysis of the latest SAP Security Notes and vulnerabilities. This repository serves as a critical resource for SAP Basis and Security teams to identify, prioritize, and remediate flaws in S/4HANA, ECC, and other SAP solutions. By delivering structured advisories on security notes and high-priority patches, we help organizations reduce their mean-time-to-remediation (MTTR) and protect mission-critical SAP solutions from exploitation.
SAP’s July 2024 security notes address several critical vulnerabilities, led by a high-risk missing authentication check in SAP S/4HANA. Also included are patches for a password misuse flaw in SAP Commerce, an information disclosure bug in SAP NetWeaver, and multiple cross-site scripting vulnerabilities. Executive Summary The July 2024 SAP Security Patch Day features several important
SAP’s June 2024 Patch Day addresses several key vulnerabilities, including a high-priority denial of service issue in NetWeaver AS Java and privilege escalation flaws in S/4HANA and BW/4HANA. Organizations should prioritize applying these patches to mitigate risks of system downtime, data exposure, and unauthorized access. This summary covers the most significant security notes released on
SAP’s May 2024 security update addresses several critical and high-risk vulnerabilities, led by a “Hot news” note for a file upload flaw in SAP NetWeaver. Other significant patches include fixes for remote code execution in SAP CX Commerce and multiple cross-site scripting (XSS) vulnerabilities in BusinessObjects and NetWeaver ABAP. The May 2024 SAP Security Notes
SAP’s April 2024 Security Patch Day addressed 10 new security notes, including three high-priority vulnerabilities. The most critical note, 3434839, tackles a security misconfiguration in SAP NetWeaver AS Java that could allow for weak passwords. Other significant patches address an information disclosure flaw in SAP BusinessObjects and a directory traversal vulnerability in SAP Asset Accounting.
SAP’s March 2024 security updates addressed several critical and high-priority vulnerabilities requiring attention from administrators. The patches included two “Hot News” notes for code injection flaws in SAP Build Apps and SAP NetWeaver AS Java, alongside high-priority fixes for path traversal in BusinessObjects, Denial-of-Service in HANA XS, and an authentication flaw in SAP Commerce Cloud.
SAP’s February 2024 Security Patch Day addressed several critical and high-priority vulnerabilities across its product landscape, including a Hot News note for a code injection flaw. Key patches were released for SAP Application Basis (ABA), NetWeaver Application Server (AS) Java, SAP Cloud Connector, and SAP CRM. Administrators should prioritize the immediate application of these security
The SAP Security Notes for January 2024 addressed several critical vulnerabilities, including two “Hot News” privilege escalation flaws in SAP Business Application Studio and Edge Integration Cell. A high-priority Denial of Service vulnerability in SAP NetWeaver’s ICM and a code injection flaw in the Application Interface Framework were also patched. This summary covers the key
SAP’s December 2023 security update includes critical patches for an OS command injection vulnerability in SAP S/4HANA and ECC, and high-risk vulnerabilities in the SAP Business Technology Platform (BTP). Organizations should prioritize the review and application of these notes to mitigate significant security risks. This advisory summarizes the key vulnerabilities and the required actions for
The SAP Security Notes for November 2023 featured a critical “Hot News” patch for a missing authentication vulnerability in SAP Business One, which registered a 9.6 CVSS score. Other key updates addressed a Cross-Site Request Forgery (CSRF) vulnerability in SAP Sybase and two separate information disclosure issues in SAP NetWeaver ABAP and Java servers. This
Hot news note 3340576 patches a critical missing authorization check in the SAP Common Cryptographic Library (CommonCryptoLib) that could enable attackers to escalate privileges. CommonCryptoLib is installed in multiple SAP products including SAP NetWeaver AS ABAP, SAP NetWeaver AS Java and ABAP Platform of S/4HANA on-premise, as well as SAP HANA Database, SAP Web Dispatcher,
Hot news notes 3245526 and 3320355 patch critical code injection and information disclosure vulnerabilities in SAP BusinessObjects Intelligence Platform (BOBJ). Note 3245526 was re-released in September with updated support package and patch level details. The note patches a command injection vulnerability that can be exploited to escalate privileges in the platform. The vulnerability impacts the
Hot news note 3341460 patches multiple critical vulnerabilities in the data modelling and management solution SAP PowerDesigner. This includes an access control vulnerability for CVE-2023-37483 that has a CVSS score of 9.8/10. The vulnerability can be exploited by attackers to execute arbitrary queries against back-end databases via proxies. It also includes an information disclosure vulnerability