Security Experts:

Connect with us

Hi, what are you looking for?



SAP Patches Critical Vulnerability in ABAP Platform Kernel

SAP on Tuesday announced the release of five new and two updated security notes as part of its November 2021 Security Patch Day, including one note that deals with a critical vulnerability in ABAP Platform Kernel.

SAP on Tuesday announced the release of five new and two updated security notes as part of its November 2021 Security Patch Day, including one note that deals with a critical vulnerability in ABAP Platform Kernel.

Rated Hot News, which is SAP’s highest severity rating, the most severe of the new security notes addresses CVE-2021-40501 (CVSS score of 9.6), a missing authorization check vulnerability in ABAP Platform Kernel.

An authenticated business user could exploit the security hole to escalate their privileges on a vulnerable system, which would enable them to read and modify otherwise restricted data.

“The vulnerability affects trusted connections to other systems via RFC and HTTP communication, allowing the user to execute application-specific logic in other systems,” enterprise app security firm Onapsis explains.

SAP also addressed a high-severity missing authorization check in SAP Commerce, which too could allow an authenticated user to escalate privileges. Tracked as CVE-2021-40502 (CVSS score of 8.3), the bug affects all installations that use Commerce Organization.

SAP also released an updated high-priority security note addressing hardcoded credentials in CA Introscope Enterprise Manager, which was initially patched in 2020.

While these are the only two high-priority notes SAP has included in its advisory, Onapsis mentions a third such note (CVSS score of 7.9), which deals with known denial of service (DoS) vulnerabilities in open source dependencies used by Forecasting and Replenishment for Retail (FRP or F&R).

The note was released after the second Tuesday of October but before the second Tuesday of this month, the same as three other medium-priority notes.

SAP included four medium-priority security notes in this month’s advisory, one of which is an update for a September 2021 note. The notes address an information disclosure in GUI for Windows, missing authorization checks in ERP HCM and ERP Financial Accounting, and a leverage of permission in NetWeaver Application Server for ABAP and ABAP Platform.

Related: SAP Patches Critical Vulnerabilities in Environmental Compliance

Related: SAP Patches Critical Vulnerabilities With September 2021 Security Updates

Related: Nine Critical and High-Severity Vulnerabilities Patched in SAP Products

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet