Security Experts:

Connect with us

Hi, what are you looking for?



SAP Releases Five ‘Hot News’ Notes on March 2023 Patch Day

SAP has released 19 new notes on March 2023 Security Patch Day, including five notes rated hot news.

German enterprise software maker SAP announced the release of 19 new notes on its March 2023 Security Patch Day, including five hot news notes.

The notes rated ‘hot news’ – the highest rating in SAP’s playbook – resolve critical vulnerabilities impacting Business Objects, NetWeaver, ERP and S4HANA.

Two of the hot news notes address security defects in the Business Objects Business Intelligence Platform.

The most severe of these is CVE-2023-25616, a code injection flaw in the Central Management Console (CMC), followed by CVE-2023-25617, an OS command injection in Adaptive Job Server.

Next in line are two hot news notes addressing flaws in NetWeaver. The first is CVE-2023-23857, an improper access control issue in the Locking Service that could allow an attacker to “attach to an open interface and make use of an open naming and directory API to access services”.

According to enterprise application security firm Onapsis, the attacker can abuse these services to perform unauthorized operations.

The second issue is CVE-2023-27269, a path traversal bug “caused by the include program RSPOXTAB that allows access to files that are not assigned to a logical file name in the system”, Onapsis explains.

The fifth hot news note addresses CVE-2023-27500, a directory traversal vulnerability in the SAPRSBRO program in ERP and S4HANA. By disabling the program, SAP no longer allows “non-administrative authorizations to overwrite arbitrary critical OS files”.

This month’s SAP security updates also include four notes that resolve high-severity flaws impacting Solution Manager and ABAP managed systems (ST-PI), NetWeaver AS for ABAP and ABAP Platform, and the SAPOSCOL application.

Successful exploitation of these issues could allow attackers to execute code remotely, delete arbitrary files at the OS level to make the system unavailable, cause a denial-of-service (DoS) condition, and trigger a memory corruption bug to read technical information about the server.

All the remaining new notes released on SAP’s March 2023 Security Patch Day resolve medium-severity vulnerabilities.

Related: SAP’s February 2023 Security Updates Patch High-Severity Vulnerabilities

Related: SAP’s First Security Updates for 2023 Resolve Critical Vulnerabilities

Related: SAP’s December 2022 Security Updates Patch Critical Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.