SAP has released its May 2024 security update, addressing 19 vulnerabilities across its product suite. The most severe patch fixes a critical flaw in the SAP ABAP Server and ABAP Platform that could allow an unauthenticated attacker to gain complete control over affected enterprise systems.
The vulnerability, tracked as CVE-2024-27296, is a missing authorization check with a CVSS score of 9.6 out of 10. According to security firm Onapsis, which discovered and reported the issue, the flaw allows a remote attacker to execute arbitrary ABAP code without any authentication or user interaction. This provides a direct path to compromising the confidentiality, integrity, and availability of the entire system.
A successful exploit could have severe consequences for an organization. An attacker with full control over a core SAP system could access and exfiltrate sensitive data, including financial records, customer information, and intellectual property. They could also disrupt critical business processes, manipulate financial transactions, or deploy additional malware to establish persistent access. Because the attack can be launched remotely over the network, organizations should also ensure their network access controls and VPN configurations for administrators are secure.
The May update also includes several other high-priority patches. These address flaws in SAP Business Technology Platform (BTP) and SAP NetWeaver Application Server for ABAP, which could also lead to unauthorized access if left unpatched.
SAP customers are strongly advised to review SAP Security Note 3432598, which details the critical ABAP vulnerability, and apply all relevant patches immediately to mitigate the risk of exploitation.