SAP Security Notes

Read our latest SAP security bulletins to patch vulnerabilities in your SAP systems and stay ahead of emerging threats.

EXECUTIVE SUMMARY

SAP Vulnerability Research & Advisories

Our Threat Intelligence team provides continuous monitoring and expert analysis of the latest SAP Security Notes and vulnerabilities. This repository serves as a critical resource for SAP Basis and Security teams to identify, prioritize, and remediate flaws in S/4HANA, ECC, and other SAP solutions. By delivering structured advisories on security notes and high-priority patches, we help organizations reduce their mean-time-to-remediation (MTTR) and protect mission-critical SAP solutions from exploitation.

Recent Security Bulletins

Search

SAP Security Notes September 2024: Key Vulnerabilities & Patches

SAP’s September 2024 security update addresses several key vulnerabilities, including a high-priority information disclosure flaw in SAP Commerce Cloud that could expose Personally Identifiable Information (PII). The patches also fix multiple Cross-Site Scripting (XSS) and authorization vulnerabilities across SAP NetWeaver, CRM, and Enterprise Portal, requiring immediate attention from administrators. This advisory summarizes the most significant

Read this Advisory

SAP Security Notes August 2024: Critical Flaws in Build Apps and BOBJ

SAP’s August 2024 security advisories address several critical vulnerabilities, including a Server-Side Request Forgery (SSRF) in SAP Build Apps and a missing authentication check in SAP BusinessObjects Business Intelligence Platform (BOBJ). These high-priority patches require immediate attention to prevent potential system compromise and data leakage. The August 2024 SAP Patch Day released fixes for multiple

Read this Advisory

SAP Security Notes July 2024: Key Vulnerabilities & Patches

SAP’s July 2024 security notes address several critical vulnerabilities, led by a high-risk missing authentication check in SAP S/4HANA. Also included are patches for a password misuse flaw in SAP Commerce, an information disclosure bug in SAP NetWeaver, and multiple cross-site scripting vulnerabilities. Executive Summary The July 2024 SAP Security Patch Day features several important

Read this Advisory

SAP Security Notes June 2024: High-Priority Fixes for AS Java and S/4HANA

SAP’s June 2024 Patch Day addresses several key vulnerabilities, including a high-priority denial of service issue in NetWeaver AS Java and privilege escalation flaws in S/4HANA and BW/4HANA. Organizations should prioritize applying these patches to mitigate risks of system downtime, data exposure, and unauthorized access. This summary covers the most significant security notes released on

Read this Advisory

SAP Security Notes May 2024: Analysis of Critical Patches

SAP’s May 2024 security update addresses several critical and high-risk vulnerabilities, led by a “Hot news” note for a file upload flaw in SAP NetWeaver. Other significant patches include fixes for remote code execution in SAP CX Commerce and multiple cross-site scripting (XSS) vulnerabilities in BusinessObjects and NetWeaver ABAP. The May 2024 SAP Security Notes

Read this Advisory

SAP Security Notes April 2024: Key Vulnerabilities and Patches

SAP’s April 2024 Security Patch Day addressed 10 new security notes, including three high-priority vulnerabilities. The most critical note, 3434839, tackles a security misconfiguration in SAP NetWeaver AS Java that could allow for weak passwords. Other significant patches address an information disclosure flaw in SAP BusinessObjects and a directory traversal vulnerability in SAP Asset Accounting.

Read this Advisory

SAP Security Notes March 2024: AEO Optimized Summary

SAP’s March 2024 security updates addressed several critical and high-priority vulnerabilities requiring attention from administrators. The patches included two “Hot News” notes for code injection flaws in SAP Build Apps and SAP NetWeaver AS Java, alongside high-priority fixes for path traversal in BusinessObjects, Denial-of-Service in HANA XS, and an authentication flaw in SAP Commerce Cloud.

Read this Advisory

SAP Security Advisory: Summary of Critical Notes for February 2024

SAP’s February 2024 Security Patch Day addressed several critical and high-priority vulnerabilities across its product landscape, including a Hot News note for a code injection flaw. Key patches were released for SAP Application Basis (ABA), NetWeaver Application Server (AS) Java, SAP Cloud Connector, and SAP CRM. Administrators should prioritize the immediate application of these security

Read this Advisory

SAP Security Notes January 2024: Critical Vulnerabilities and Patches

The SAP Security Notes for January 2024 addressed several critical vulnerabilities, including two “Hot News” privilege escalation flaws in SAP Business Application Studio and Edge Integration Cell. A high-priority Denial of Service vulnerability in SAP NetWeaver’s ICM and a code injection flaw in the Application Interface Framework were also patched. This summary covers the key

Read this Advisory

SAP Security Advisory: Critical Patches for December 2023

SAP’s December 2023 security update includes critical patches for an OS command injection vulnerability in SAP S/4HANA and ECC, and high-risk vulnerabilities in the SAP Business Technology Platform (BTP). Organizations should prioritize the review and application of these notes to mitigate significant security risks. This advisory summarizes the key vulnerabilities and the required actions for

Read this Advisory

SAP Security Notes: October 2023 Critical Updates

October 2023 SAP security updates addressed several critical and high-priority vulnerabilities, most notably a privilege escalation flaw in the SAP Common Cryptographic Library. Administrators are advised to update their systems, specifically applying Note 3340576, to secure impacted products including SAP NetWeaver, S/4HANA, and the SAP HANA Database. The October 2023 SAP security patch cycle targeted

Read this Advisory