SAP patches critical vulnerability that could allow complete system takeover

April 15, 20262 min read1 sources
Share:
SAP patches critical vulnerability that could allow complete system takeover

SAP has released its May 2024 security update, addressing 19 vulnerabilities across its product suite. The most severe patch fixes a critical flaw in the SAP ABAP Server and ABAP Platform that could allow an unauthenticated attacker to gain complete control over affected enterprise systems.

The vulnerability, tracked as CVE-2024-27296, is a missing authorization check with a CVSS score of 9.6 out of 10. According to security firm Onapsis, which discovered and reported the issue, the flaw allows a remote attacker to execute arbitrary ABAP code without any authentication or user interaction. This provides a direct path to compromising the confidentiality, integrity, and availability of the entire system.

A successful exploit could have severe consequences for an organization. An attacker with full control over a core SAP system could access and exfiltrate sensitive data, including financial records, customer information, and intellectual property. They could also disrupt critical business processes, manipulate financial transactions, or deploy additional malware to establish persistent access. Because the attack can be launched remotely over the network, organizations should also ensure their network access controls and VPN configurations for administrators are secure.

The May update also includes several other high-priority patches. These address flaws in SAP Business Technology Platform (BTP) and SAP NetWeaver Application Server for ABAP, which could also lead to unauthorized access if left unpatched.

SAP customers are strongly advised to review SAP Security Note 3432598, which details the critical ABAP vulnerability, and apply all relevant patches immediately to mitigate the risk of exploitation.

Share:

// SOURCES

// RELATED

Meta settles bellwether lawsuit alleging addictive design harmed student mental health

Meta's confidential settlement with a Washington school district marks a pivotal moment in the massive litigation against social media's psychological

6 min readMay 24

Huawei zero-day attack behind last year’s crash of Luxembourg's entire telecoms network

A sophisticated zero-day attack on Huawei routers allegedly caused Luxembourg's 2023 national telecom outage, raising severe global security concerns.

6 min readMay 23

MiniPlasma Windows 0-day enables SYSTEM privilege escalation on fully patched systems

A newly disclosed 0-day flaw, MiniPlasma, allows attackers to gain full SYSTEM control on patched Windows systems, with a public PoC accelerating risk

6 min readMay 18

The ransomware dilemma: why more than half of security chiefs would pay the price

A new survey reveals 56% of CISOs would consider paying a ransom, highlighting the intense pressure to restore operations despite official guidance.

6 min readMay 16