SAP Security Notes

Read our latest SAP security bulletins to patch vulnerabilities in your SAP systems and stay ahead of emerging threats.

EXECUTIVE SUMMARY

SAP Vulnerability Research & Advisories

Our Threat Intelligence team provides continuous monitoring and expert analysis of the latest SAP Security Notes and vulnerabilities. This repository serves as a critical resource for SAP Basis and Security teams to identify, prioritize, and remediate flaws in S/4HANA, ECC, and other SAP solutions. By delivering structured advisories on security notes and high-priority patches, we help organizations reduce their mean-time-to-remediation (MTTR) and protect mission-critical SAP solutions from exploitation.

Recent Security Bulletins

Search

SAP Security Notes: September 2023 Vulnerability Summary

The September 2023 SAP Security Notes address critical and high-priority vulnerabilities affecting the SAP BusinessObjects Intelligence Platform (BOBJ) and the SAP Common Crypto Library. These patches remediate risks including code injection, information disclosure, cross-site scripting (XSS), and denial of service (DoS) attacks that could compromise system integrity. Executive Summary In September 2023, SAP released critical

Read this Advisory

SAP Security Notes: August 2023 Vulnerability Summary

The August 2023 SAP security updates address multiple critical vulnerabilities, most notably in SAP PowerDesigner, which faces a 9.8/10 CVSS-rated access control flaw. Other patches resolve issues in SAP Message Server, SAP BusinessObjects Business Intelligence (BOBJ), SAP SQL Anywhere, and SAP Commerce Cloud, requiring immediate attention to prevent unauthorized access and system compromise. Executive Summary

Read this Advisory

SAP Security Notes: July 2023 Vulnerability Summary

The July 2023 SAP security updates address critical vulnerabilities, including OS command injection in SAP ECC and S/4HANA (note 3350297), buffer overflow and HTTP request smuggling in SAP Web Dispatcher (notes 3340735 and 3233899), and blind SSRF and header injection in the Diagnostics Agent (notes 3352058 and 3348145). The July 2023 SAP security advisories focus

Read this Advisory

SAP Security Notes: June 2023 Vulnerability Summary

The June 2023 SAP security updates addressed high-priority vulnerabilities across multiple platforms, including SAP UI5, SAP Knowledge Warehouse, and various NetWeaver-based applications. These patches primarily target cross-site scripting (XSS) and clickjacking risks, providing necessary input validation and configuration restrictions to protect SAP environments from malicious exploitation. Executive Summary The June 2023 SAP security update cycle

Read this Advisory

SAP Security Notes: May 2023 Patch Summary

In May 2023, SAP released critical security updates addressing vulnerabilities across several platforms, most notably SAP BusinessObjects (BOBJ) and the SAP 3D Visual Enterprise License Manager. These updates include patches for information disclosure, code injection, broken authentication, and session hijacking risks that require immediate attention from security administrators. Executive Summary The May 2023 SAP security

Read this Advisory

SAP Security Notes: April 2023 Summary

In April 2023, SAP released several critical security notes addressing vulnerabilities in its software. Key patches included Note 3305369 for the SAP Diagnostics Agent, Note 3294595 for SAP NetWeaver AS ABAP, Note 3298961 for SAP BOBJ, and Note 3305907 for the BI Content Add-on for AS ABAP. The April 2023 SAP security update focused on

Read this Advisory

SAP Security Notes: March 2023 Vulnerability Summary

What are the critical SAP security vulnerabilities addressed in March 2023? In March 2023, SAP released patches for several high-risk vulnerabilities, including a critical SQL injection in NetWeaver AS Java, authentication bypasses in the LockingService, and code execution risks in SAP BusinessObjects Business Intelligence (BOBJ). These updates are essential for maintaining system integrity and preventing

Read this Advisory

SAP Security Notes: Critical Vulnerabilities and Updates for February 2023

The February 2023 SAP Security Notes address critical vulnerabilities across NetWeaver Application Server Java, the SAP Host Agent, and SAP BusinessObjects. Key patches include fixes for JNDI interface exposure, privilege escalation via webservice requests, and unrestricted file upload vulnerabilities, alongside necessary corrections for side effects introduced by earlier security patches. Executive Summary The February 2023

Read this Advisory

SAP Security Notes: January 2023 Vulnerability Summary

The January 2023 SAP Security patch cycle addressed several critical and high-risk vulnerabilities, including a capture-replay issue in SAP NetWeaver AS ABAP and a broken authentication flaw in SAP NetWeaver AS Java. Organizations are advised to apply these security notes immediately to prevent unauthorized data access and potential service disruption. Executive Summary The January 2023

Read this Advisory

SAP Security Notes, December 2022

Hot news notes 3267780 and 3273480 patch critical broken authentication vulnerabilities in SAP NetWeaver Application Server Java (AS Java). Threat actors can exploit the vulnerabilities to attach to an open interface exposed through JNDI by the Messaging System and User Defined Search (UDS) of SAP NetWeaver AS Java. Once attached, they can make use of

Read this Advisory

SAP Security Notes, November 2022

Hot news note 3243924 for CVE-2022-41203 patches a critical vulnerability related to insecure deserialization of untrusted data in the Central Management Console (CMC) and BI Launchpad of SAP BusinessObjects Business Intelligence Platform (BOBJ). The vulnerability impacts versions 4.2 and 4.3 of BOBJ and can be exploited by threat actors to bypass authentication, inject malicious code,

Read this Advisory

SAP Security Notes, October 2022

Hot news note 3239152 patches a critical URL redirection vulnerability in SAP Commerce Cloud. The vulnerability can be exploited to manipulate URLs and redirect users to logon pages controlled by threat actors. User submissions served by attacker-controlled servers can be used to steal logon credentials and hijack accounts. Note 3239152 includes a fix for specific

Read this Advisory