Security News

Threat actors are targeting mission-critical SAP applications unsecured against already patched vulnerabilities, exposing the networks of commercial and government organizations to attacks. SAP and cloud security firm Onapsis warned of these ongoing attacks today, and have worked in partnership with the Cybersecurity and Infrastructure Security Agency and Germany's cybersecurity agency BSI to warn SAP customers to deploy patches and survey their environments for unsecured apps.

Enterprise software giant SAP pushed out fixes for a critical-severity vulnerability in its real-time data monitoring software for manufacturing operations. If exploited, the flaw could allow an attacker to access SAP databases, infect end users with malware and modify network configurations.

SAP's March 2021 Security Patch Day updates include 9 new security notes, including two for critical vulnerabilities affecting the company's NetWeaver Application Server and Manufacturing Integration and Intelligence products. This month's set of patches also includes 4 updates to previously released Patch Day security notes, including updates for two notes rated Hot News, which address a missing authorization check in Solution Manager and deliver the latest patches for the Chromium browser in Business Client.

Onapsis announced the general availability of support for SAP SuccessFactors in The Onapsis Platform. "SaaS applications such as SuccessFactors can introduce new risk into the business-critical application environment if security parameters are not continuously assessed to maintain a strong security posture," said Marty Ray, Chief Information Security Officer at Fossil Group.

SAP is warning of a critical vulnerability in its SAP Commerce platform for e-commerce businesses. Drools is an engine that makes up the rules engine for SAP Commerce.

SAP has released seven new security notes on February 2021 Security Patch Day, including a Hot News note that addresses a critical flaw in SAP Commerce. Tracked as CVE-2021-21477 and featuring a CVSS score of 9.9, the critical issue could be abused for remote code execution, SAP explains in its advisory.

Ivanti Wavelink announced that Ivanti Velocity 2.1 and Ivanti Speakeasy 1.0 have achieved SAP certification as integrated with SAP S/4HANA and SAP NetWeaver. Adding SAP Extended Warehouse Management and the browser apps for the mobile internet transaction server component within SAP S/4HANA to its portfolio of supported solutions, Ivanti Wavelink brings a modern, mobile interface to SAP environments.

Cybersecurity researchers have warned of a publicly available fully-functional exploit that could be used to target SAP enterprise software. The exploit leverages a vulnerability, tracked as CVE-2020-6207, that stems from a missing authentication check in SAP Solution Manager version 7.2.

Fully-functional exploit code is now publicly available for a maximum severity pre-auth vulnerability impacting default configurations of an SAP Solution Manager component. SAP SolMan is an application lifecycle manager deployed in almost all SAP environments and designed to help unify the management of all SAP and non-SAP systems within a single interface.

A Russian researcher has made public on GitHub a functional exploit targeting a critical vulnerability that SAP patched in its Solution Manager product in March 2020. Tracked as CVE-2020-6207 and featuring a CVSS score of 10, the security flaw is a missing authorization check in the EEM Manager component of SolMan, which could allow an unauthenticated, remote attacker to execute operating system commands on hosts, as the SMDAgent.