Details to be disseminated:
In a recent April Patch Day, SAP published twenty new and updated security notes, including three hot news and five high priority notes. These updates aim to address several critical vulnerabilities in various SAP products.
One of the most significant updates is SAP Security Note #3587115 and #3581961, both rated with a CVSS score of 9.9. These notes fix a very critical code injection vulnerability in SAP ECC and S/4HANA respectively. This code injection vulnerability allows attackers to remotely generate arbitrary ABAP code on a system, posing a significant threat to the affected systems' security.
Another critical vulnerability addressed in the updates is a Time-of-check Time-of-use (TOCTOU) race condition vulnerability in SAP Commerce Cloud, as addressed by SAP Security Note #3590984, with a CVSS score of 8.1. This vulnerability could potentially lead to unintended consequences due to the timing of system calls.
The Onapsis Research Labs (ORL) team contributed to fixing several of these vulnerabilities. They collaborated with SAP to address a vulnerability in SAP Landscape Transformation and S/4HANA by providing detailed analysis and guidance on Patch Days in August and September 2025. The ORL team also contributed to fixing a vulnerability in SAP KMC WPC that enables information disclosure, and a vulnerability in NetWeaver Application Server ABAP (Mixed Dynamic RFC Destination).
SAP Security Note #3572688, rated with a CVSS score of 9.8, fixes an authentication bypass vulnerability in SAP Financial Consolidation. If left unpatched, unauthenticated attackers could remotely initiate a parameter query to retrieve usernames, potentially exposing confidential information and compromising the application's confidentiality.
SAP Security Note #3581811 deals with SAP NetWeaver Application Server ABAP and ABAP Platform, and fixes a directory traversal vulnerability with a CVSS score of 7.7. This vulnerability, if exploited, could allow attackers with low privileges to read files from directories they wouldn't otherwise have access to.
SAP Security Note #2927164 patches a directory traversal vulnerability in SAP Capital Yield Tax Management, allowing attackers with low privileges to read files from directories they wouldn't otherwise have access to.
To stay informed about the latest SAP security issues and the Onapsis Research Labs' efforts, subscribe to the monthly Defenders Digest Onapsis Newsletter on LinkedIn. For more information and details about all security notes, visit the Onapsis Blog. The Onapsis Research Labs are updating the Onapsis Platform to consider the newly published vulnerabilities in the product, allowing companies to protect themselves optimally.
Lastly, SAP Security Note #3568307, with a CVSS score of 5.3, addresses an information disclosure issue in SAP KMC WPC. This note is particularly important as it closes a gap in the patch for an information disclosure vulnerability provided in SAP Security Note #3469791 from December 2024.
In conclusion, these updates address a range of critical vulnerabilities in various SAP products, underscoring the importance of staying up-to-date with security patches to ensure the safety and security of SAP systems.
