Security Experts:

Connect with us

Hi, what are you looking for?



SAP Patches Critical Vulnerabilities With September 2021 Security Updates

German software maker SAP this week announced the release of 17 new and two updated security notes on the September 2021 Security Patch Day. Seven of these deal with critical vulnerabilities in SAP products.

German software maker SAP this week announced the release of 17 new and two updated security notes on the September 2021 Security Patch Day. Seven of these deal with critical vulnerabilities in SAP products.

The most important of the newly released security notes patches a missing authorization check in SAP NetWeaver Application Server for Java. Tracked as CVE-2021-37535, the vulnerability has a CVSS score of 10.

Two other critical vulnerabilities (CVSS score of 9.9) were addressed with Hot News security notes for NetWeaver. These include CVE-2021-38163, an unrestricted file upload bug in Visual Composer 7.0 RT, and CVE-2021-37531, a code injection issue in Knowledge Management.

Both vulnerabilities require for an attacker to have minimum privileges on the affected system for exploitation, which prevents the bugs from having a maximum CVSS score.

One other critical vulnerability (CVE-2021-38176, CVSS score of 9.9) is an SQL injection patched in the Near Zero Downtime (NZDT) Mapping Table Framework, but affects multiple products, including SAP HANA, LT Replication Server, Test Data Migration Server, Landscape Transformation, and LTRS for S/4HANA.

The issue is an improper input sanitization in 25 RFC-enabled function modules that could allow an “authenticated user with certain specific privileges to remotely call these function modules and execute manipulated queries to gain access to the backend database,” SAP application security firm Onapsis explains.

The fifth Hot News security note that SAP released this week addresses critical code injection and reflected cross-site scripting (XSS) vulnerabilities in SAP Contact Center. Tracked as CVE-2021-33672, CVE-2021-33673, CVE-2021-33674, and CVE-2021-33675, the bugs carry a CVSS score of 9.6.

SAP also released two updated security notes this week, both Hot News, carrying a CVSS score of 10. The first delivers an update for the Chromium browser in Business Client, while the other deals with an unrestricted file upload bug in Business One (which was initially addressed in August).

Two High priority security notes were released on SAP’s September 2021 Patch Day, addressing an HTTP request smuggling issue in Web Dispatcher (CVE-2021-38162) and a null pointer dereference flaw in CommonCryptoLib (CVE-2021-38177).

SAP also released two Medium priority security notes on this month’s Patch Day, dealing with various issues in Analysis for Microsoft Office, Business Client, Business One, BusinessObjects, ERP Financial Accounting, NetWeaver, and 3D Visual Enterprise Viewer.

Related: SAP Customer Survey Reveals False Sense of Security

Related: SAP Patches High-Risk Vulnerabilities in NetWeaver

Related: SAP Patches Critical Vulnerabilities in NetWeaver

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet