Patch Panic! Unpatched SAP Systems Face System Smackdown: NCERT Issues Warning

Patch Panic! Unpatched SAP Systems Face System Smackdown: NCERT Issues Warning

Unpatched SAP systems are at risk of compromise following the discovery of critical vulnerabilities, warns the National Computer Emergency Response Team (NCERT).

SAP, a major provider of enterprise software, released security patches on their May Patch Day to address these flaws impacting various products, including SAP NetWeaver, SAP CX Commerce, and SAP Business Client.

CVE-2024-33006 Tops the Threat List

Among the most concerning vulnerabilities is CVE-2024-33006, which carries a high severity rating (CVSS score: 9.6).This flaw in SAP NetWeaver Application Server ABAP allows attackers to upload malicious files, potentially leading to complete system takeover. All SAP_BASIS versions between 700 and 758 are susceptible, making immediate patching crucial.

The May Patch Day updates also addressed critical vulnerabilities in:

  • SAP CX Commerce (CVE-2019-17495 & CVE-2022-36364): These vulnerabilities could be exploited for unauthorized access.
  • SAP BusinessObjects Business Intelligence Platform (CVE-2024-28165): This flaw allows attackers to inject malicious scripts (XSS).

While not as critical, the advisory also highlights medium and low-severity vulnerabilities in various SAP products,including S/4HANA, My Travel Requests, and SAP UI5. Patching these promptly is still recommended to maintain overall system security.

NCERT Offers Recommendations for Mitigating Risks

To safeguard against these vulnerabilities, NCERT recommends several proactive measures:

  • Promptly apply the latest SAP security patches.
  • Regularly assess vulnerabilities and conduct security audits.
  • Limit system access using the principle of least privilege.
  • Implement robust monitoring and detection mechanisms.

Organizations can significantly bolster their SAP security posture and minimize the risk of data breaches and operational disruptions, by following these steps.

Post Comment