Virtual Event Today: Supply Chain Security Summit - Join Event In-Progress

Security Experts:

Connect with us

Hi, what are you looking for?


Supply Chain Security

Critical SAP Vulnerability Allows Supply Chain Attacks

A critical vulnerability addressed recently in SAP NetWeaver AS ABAP and ABAP Platform could be abused to set up supply chain attacks, SAP security solutions provider SecurityBridge warns.

A critical vulnerability addressed recently in SAP NetWeaver AS ABAP and ABAP Platform could be abused to set up supply chain attacks, SAP security solutions provider SecurityBridge warns.

Tracked as CVE-2021-38178 and featuring a CVSS score of 9.1, the critical vulnerability was addressed on the October 2021 SAP Patch Day.

Described as an improper authorization issue, the security error allows an attacker to tamper with transport requests, thus bypassing quality gates and transferring code artifacts to production systems.

Production systems are typically at the end of the line in SAP instances for development, integration, and testing, with all instances often sharing a central transport directory, where files needed for deploying changes from development to production are stored.

Transport requests are used to deploy modifications throughout the SAP system line, and these requests are assumed to be unmodifiable once exported. Thus, for any new change, a different request would be needed.

However, SecurityBridge discovered that standard SAP deployments include a program that does allow employees with specific authorization levels to change the header attributes of SAP transport requests.

Because of that, an attacker or a malicious insider with sufficient permissions on a compromised system has a window of opportunity between the export of transport requests and their import into production units, when they could change the release status from ”Released” to ”Modifiable.”

A transport request can be tampered with after it has passed all quality gates, and the attacker could add a payload to be executed after import into a target system, thus opening the door to supply chain attacks.

“Attackers may introduce malicious code into the SAP development stage, unseen, even into requests that have already been imported into the test stage. They could alter the transport request content just before promotion into production, allowing for code execution,” SecurityBridge notes.

All SAP environments where a single transport directory is used at various staging levels are vulnerable and organizations are advised to apply the available patches and check for manipulations of transport requests before importing into production.

Related: SAP Patches Log4Shell Vulnerability in More Applications

Related: SAP Patches Log4Shell Vulnerability in 20 Applications

Related: SAP Patches Critical Vulnerability in ABAP Platform Kernel

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...