Connect with us

Hi, what are you looking for?



Details of Serious SAP Adaptive Server Enterprise Vulnerabilities Disclosed

Cybersecurity firm Trustwave on Wednesday disclosed the details of several vulnerabilities found by its researchers in SAP Adaptive Server Enterprise (ASE).

Cybersecurity firm Trustwave on Wednesday disclosed the details of several vulnerabilities found by its researchers in SAP Adaptive Server Enterprise (ASE).

SAP ASE is a relational database management system that is used by many major organizations, particularly in the financial sector. At one point, SAP said this product was used by a vast majority of the world’s top 25 banks.

Researchers at Trustwave analyzed SAP ASE and discovered a total of six vulnerabilities, most of which have been assigned a critical or high severity rating. The company says the security holes can allow unprivileged attackers to gain complete control of the database and possibly even the underlying operating system.

The critical issues can allow an attacker with limited privileges to execute arbitrary code with higher permissions — LocalSystem permissions on Windows systems. The flaws, tracked as CVE-2020-6248 and CVE-2020-6252, are related to the Backup Server and Cockpit components.

There is also a high-severity flaw related to the XP Server component that can also be exploited for arbitrary code execution with LocalSystem privileges, Trustwave revealed in a blog post.

Two other high-severity vulnerabilities allow privilege escalation via SQL injection attacks. The last issue, rated medium severity, affects only Linux/UNIX systems and it’s related to the presence of cleartext passwords in installation logs. This weakness can be dangerous when combined with other vulnerabilities as it can result in SAP ASE getting completely compromised.

Trustwave reported its findings to SAP, which released patches in late April for ASE 15.7 and 16.0. SAP mentioned the vulnerabilities in the advisory it released for its May 2020 security updates.

“Organizations often store their most critical data in databases, which, in turn, are often necessarily exposed in untrusted or publicly exposed environments,” Trustwave said. “This makes vulnerabilities like these essential to address and test quickly since they not only threaten the data in the database but potentially the full host that it is running on.”

Advertisement. Scroll to continue reading.

SAP’s latest round of security updates addressed 18 vulnerabilities affecting ABAP Application Server, Business Client, Business Objects, Enterprise Threat Detection, Master Data Governance, NetWeaver, and Identity Management.

Related: SAP Alerts Customers of Vulnerabilities in Cloud Products

Related: SAP’s April 2020 Security Updates Patch Five Critical Vulnerabilities

Related: Critical Vulnerabilities in SAP Solution Manager Expose Companies to Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.