Cyber Security News

SAP Security Update: Patch For High Severity Vulnerabilities

SAP has released its July 2024 security patch update, addressing 18 product vulnerabilities. The update includes fixes for two high-severity flaws that could potentially allow attackers to gain unauthorized access to sensitive data and systems.

The most critical vulnerability, CVE-2024-39592, affects SAP’s Product Design Cost Estimating (PDCE) tool. With a CVSS score of 7.7, this missing authorization check could enable attackers to read generic table data, potentially exposing sensitive information.

Another high-priority fix addresses CVE-2024-39597 in SAP Commerce, which has a CVSS score of 7.2.

This improper authorization check could allow attackers to exploit the forgotten password functionality and gain access to improperly configured sites without merchant approval.

Free Ultimate Continuous Security Monitoring Guide - Download Here (PDF)

The patch update also includes fixes for 15 medium-severity vulnerabilities affecting various SAP products such as Landscape Management, Document Builder, NetWeaver, CRM, Business Warehouse, S/4HANA, Business Workflow, GUI for Windows, Transportation Management, and Enable Now.

These vulnerabilities encompass a range of issues, including information disclosure, unrestricted file uploads, missing authorization checks, cross-site scripting (XSS), and server-side request forgery (SSRF).

While SAP has not reported any active exploitation of these vulnerabilities, the company strongly recommends that users apply the patches as soon as possible.

Past incidents have shown that attackers often target known SAP vulnerabilities, even after the release of patches. The July 2024 patch update underscores the importance of timely security updates for enterprise software.

Organizations using SAP products should prioritize applying these patches to mitigate potential risks to their systems and data.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!

Guru Baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

New Device Code Phishing Attack Exploit Device Code Authentication To Capture Authentication Tokens

A sophisticated phishing campaign, identified by Microsoft Threat Intelligence, has been exploiting a technique known…

2 hours ago

RedMike Hackers Exploited 1000+ Cisco Devices to Gain Admin Access

Researchers observed a sophisticated cyber-espionage campaign led by the Chinese state-sponsored group known as "Salt…

3 hours ago

AMD Ryzen DLL Hijacking Vulnerability Let Attackers Execute Arbitrary Code

A high-severity security vulnerability, identified as CVE-2024-21966, has been discovered in the AMD Ryzen™ Master…

4 hours ago

PostgreSQL Terminal Tool Injection Vulnerability Allows Remote Code Execution

Researchers have uncovered a high-severity SQL injection vulnerability, CVE-2025-1094, affecting PostgreSQL’s interactive terminal tool, psql. …

4 hours ago

WinZip Vulnerability Let Remote Attackers Execute Arbitrary Code

A newly disclosed high-severity vulnerability in WinZip, tracked as CVE-2025-1240, enables remote attackers to execute…

8 hours ago

Hackers Actively Exploiting New PAN-OS Authentication Bypass Vulnerability

Palo Alto Networks has released a patch for a high-severity authentication bypass vulnerability, identified as…

9 hours ago