A critical vulnerability in the SAP NetWeaver Application Server AS ABAP has been disclosed under SAP Security Note #3600840, carrying a near-maximum CVSS score of 9.6.
This flaw, rooted in a Missing Authorization Check within the Remote Function Call (RFC) framework, poses a severe risk to system integrity and availability.
Authenticated attackers can exploit this vulnerability under specific conditions to bypass standard authorization checks on the S_RFC object when leveraging transactional (tRFC) or queued RFCs (qRFC).
Such exploitation enables privilege escalation, granting unauthorized access to critical system functions.
The potential impact is catastrophic, as attackers could manipulate application data or disrupt services entirely.
SAP advises immediate patching and highlights that post-patch, additional S_RFC permissions may need to be assigned to certain users.
The accompanying FAQ in SAP Note #3601919 provides detailed guidance on identifying affected users and activating enhanced checks via the profile parameter rfc/authCheckInPlayback set to 1.
Beyond this critical issue, SAP’s June Patch Day addresses multiple high-severity vulnerabilities, underscoring the urgency for robust security updates.
SAP Security Note #3604119, with a CVSS score of 9.1, serves as a textual update to a prior critical patch for SAP Visual Composer, emphasizing mandatory implementation regardless of earlier patches like #3594142.
Meanwhile, SAP Security Note #3609271 (CVSS 8.8) disables a vulnerable report in SAP GRC that could allow low-privileged users to manipulate system credentials, risking confidentiality and integrity.
Another high-priority fix, SAP Security Note #3606484 (CVSS 8.5), resolves a Missing Authorization Check in SAP Business Warehouse and SAP Plug-In Basis, preventing unauthorized deletion of database tables via a remote-enabled function module.
Additionally, vulnerabilities like Cross-Site Scripting (XSS) in SAP BusinessObjects BI Workspace (SAP Note #3560693, CVSS 8.2) and Directory Traversal in SAP Visual Composer (SAP Note #3610591, CVSS 7.6) highlight the diverse attack vectors targeting SAP environments.
These flaws, if exploited, could lead to unauthorized script execution or access to sensitive files, further compromising system security.
The June Patch Day also includes patches for SAP Master Data Management Server (SAP Note #3610006, CVSS 7.5) addressing Memory Corruption and Insecure Session Management issues, alongside contributions from Onapsis Research Labs in identifying and fixing additional XSS vulnerabilities in SAP NetWeaver AS ABAP (SAP Note #3590887, CVSS 5.8).
According to the Report, With nineteen Security Notes released, including one new HotNews and five High Priority updates, this patch cycle is notably impactful.
Organizations running SAP systems are strongly urged to prioritize the application of these patches, especially SAP Security Note #3600840, to mitigate the risk of privilege escalation and safeguard critical business operations against sophisticated threats.
Delaying updates could expose environments to significant exploits, making swift action not just recommended but essential in maintaining a secure SAP landscape.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Security researchers have uncovered the first-ever zero-click vulnerability in an AI agent, targeting Microsoft 365…
The emergence of Nytheon AI marks a significant escalation in the landscape of uncensored large…
The Cybersecurity and Infrastructure Security Agency (CISA), in partnership with international cybersecurity authorities, announced the…
In a landmark global cybercrime crackdown, INTERPOL’s Operation Secure has seen the takedown of more…
Bitsight TRACE has uncovered more than 40,000 security cameras openly accessible on the internet—streaming live…
Security researchers from Binarly have uncovered a major software vulnerability in the Unified Extensible Firmware…