SAP has released its July 2024 security patch update, addressing 18 product vulnerabilities. The update includes fixes for two high-severity flaws that could potentially allow attackers to gain unauthorized access to sensitive data and systems.
The most critical vulnerability, CVE-2024-39592, affects SAP’s Product Design Cost Estimating (PDCE) tool. With a CVSS score of 7.7, this missing authorization check could enable attackers to read generic table data, potentially exposing sensitive information.
Another high-priority fix addresses CVE-2024-39597 in SAP Commerce, which has a CVSS score of 7.2.
This improper authorization check could allow attackers to exploit the forgotten password functionality and gain access to improperly configured sites without merchant approval.
Attend a Free Webinar on How to Maximize Cybersecurity Program ROI
The patch update also includes fixes for 15 medium-severity vulnerabilities affecting various SAP products such as Landscape Management, Document Builder, NetWeaver, CRM, Business Warehouse, S/4HANA, Business Workflow, GUI for Windows, Transportation Management, and Enable Now.
These vulnerabilities encompass a range of issues, including information disclosure, unrestricted file uploads, missing authorization checks, cross-site scripting (XSS), and server-side request forgery (SSRF).
While SAP has not reported any active exploitation of these vulnerabilities, the company strongly recommends that users apply the patches as soon as possible.
Past incidents have shown that attackers often target known SAP vulnerabilities, even after the release of patches. The July 2024 patch update underscores the importance of timely security updates for enterprise software.
Organizations using SAP products should prioritize applying these patches to mitigate potential risks to their systems and data.
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!