Connect with us

Hi, what are you looking for?



SAP Patches Critical Vulnerability Exposing User, Business Data

SAP patches a critical code-injection vulnerability in the SAP ABA (Application Basis) cross-application component.

SAP vulnerability patches

Enterprise software maker SAP announced the release of 13 new and three updated security notes as part of its February 2024 Security Patch Day, including one addressing a critical vulnerability in the SAP ABA cross-application component.

The critical issue, a code injection bug tracked as CVE-2024-22131 (CVSS score of 9.1), could be exploited by an attacker that has remote execution authorization to use a vulnerable interface to invoke an application function and perform actions without permission.

“Depending on the function executed, the attack(er) can read or modify any user/business data and can make the entire system unavailable,” a NIST advisory reads.

According to enterprise application security firm Onapsis, the flaw exists because of a lack of sufficient checks on external calls to a function module.

“The Web Survey feature in SAP provides an RFC-enabled function module that allows dynamically calling any static method of the system without checking any specific authorization. An external call of the function module is only protected by the implicit S_RFC check,” Onapsis says.

SAP has addressed the flaw by adding a configurable check on external calls to the function module. Enabled by default, the check blocks the external calls, but customers can adjust its configuration to be able to use the Web Survey remote capabilities.

The vulnerability impacts SAP ABA (Application Basis) versions 700, 701, 702, 731, 740, 750, 751, 752, 75C, and 75I, SAP explains in its advisory.

The software maker also released five new security notes dealing with high-severity bugs, including cross-site scripting (XSS) and XML External Entity (XEE) injection bugs in NetWeaver AS Java, an XSS issues in CRM (WebClient UI), a code injection defect in IDES Systems, and an improper certificate validation in Cloud Connector.

Advertisement. Scroll to continue reading.

Seven medium-severity flaws impacting Bank Account Management, Companion, NetWeaver Application Server ABAP (SAP Kernel), NetWeaver Business Client for HTML, Fiori, Master Data Governance Material, and CRM (WebClient UI) were also resolved.

On Tuesday, SAP also announced updates for a hot news note delivering patches for 33 vulnerabilities in the Chrome browser for Business Client, a high-priority note addressing an information disclosure bug in NetWeaver Application Server ABAP, and a low-priority note fixing a directory traversal issue in Master Data Governance.

Users are advised to apply the patches as soon as possible. SAP makes no mention of any of these vulnerabilities being exploited in attacks, but threat actors are known to have targeted flaws in SAP products for which fixes have been released.

Related: SAP’s First Patches of 2024 Resolve Critical Vulnerabilities

Related: SAP Patches Critical Vulnerability in Business Technology Platform

Related: SAP Patches Critical Vulnerability in Business One Product

Written By

Ionut Arghire is an international correspondent for SecurityWeek.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

Shaun Khalfan has joined payments giant PayPal as SVP, CISO.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.