SAP Security Notes, June 2025
Hot news note 3600840 patches a critical missing authorization check in SAP NetWeaver Application Server ABAP (AS ABAP) that could lead to an escalation of privileges. The vulnerability is due to the failure to check the RFC start authorization S_RFC for transactional (tRFC) and queued RFC (qRFC) calls during the playback of recorded RFCs. It […]
SAP Security Notes, May 2025
Hot news note 3594142 patches a critical missing authorization check in the development server of Visual Composer within SAP NetWeaver Application Server Java (AS Java). The note addresses CVE-2025-31324, a zero-day vulnerability discovered and reported by ReliaQuest on April 22. The note includes a correction for specific support packages of version 7.50 of AS Java. […]
SAP Zero Day Vulnerability CVE-2025-31324 / Security Note 3594142
On April 22, ReliaQuest released details of a zero-day vulnerability that the company discovered during investigations into customer incidents involving the upload and execution of malicious files in SAP NetWeaver Java systems. According to the findings of the investigation, threat actors were able to take full control of the target systems by exploiting a vulnerability […]
SAP Security Notes, April 2025
Hot news 3581961 patches a critical command injection vulnerability in SAP S/4HANA. Attackers can exploit a vulnerable remote-enabled function module using RFC to create a backdoor that bypasses authorization checks and provides full administrative access to the system. All releases of S/4HANA on-premise and private cloud are impacted. Corrections are included in the support package […]
SAP Security Notes, March 2025
Note 3563927 addresses a high-risk missing authorization check in SAP NetWeaver Application Server ABAP (AS ABAP) that could lead to an escalation of privileges. The correction included in the note restricts the ability to execute development functions using transaction SA38 from the ABAP Class Builder. SA38 enables program execution in AS ABAP. Authorization object S_PROGRAM […]
SAP Security Notes, February 2025
Note 3417627 was updated in February to patch a high-risk cross-site scripting vulnerability in the User Admin application of SAP NetWeaver AS Java. The vulnerability is to due to insufficient input validation and improper encoding. This allows an unauthenticated attacker to craft links containing malicious scripts. When a victim clicks on such a link, the […]
SAP Security Notes, January 2025
Hot news note 3537476 patches a critical vulnerability in SAP NetWeaver Application Server ABAP (AS ABAP) that enables attackers to exploit authentication weaknesses in the platform to compromise credentials in internal RFC communications and execute commands using the stolen credentials. The vulnerability carries a CVSS base score of 9.9/10. The attack vectors to exploit the […]
SAP Security Notes, December 2024
Hot news note 3536965 addresses multiple high risk vulnerabilities in Adobe Document Services (ADS) of SAP NetWeaver Application Server for JAVA (AS Java). This includes vulnerabilities for Server-Side Request Forgery (SSRF) and information disclosure. ADS should be updated to the recommended patch levels detailed in the note. There are no workarounds provided by SAP. Note […]
SAP Security Notes, November 2024
Note 3520281 patches a high priority Cross-Site Scripting (XSS) vulnerability in the SAP Web Dispatcher. The vulnerability can be exploited by attackers to execute arbitrary code and fully compromise Web Dispatcher installations. The vulnerability impacts users accessing the administration UI with a browser. The administration UI can be disabled as a workaround. This can be […]
SAP Security Notes, October 2024
Hot news note 3479478 was updated for a critical missing authentication check in SAP BusinessObjects (BOBJ) Business Intelligence Platform. The vulnerability can be exploited to compromise logon tickets used for Single Sign-On. The update provides a fix for BOBJ 4.2 SP009. The notes includes details of a workaround that will disable trusted authentication in the […]