SAP S/4HANA Cloud Private Edition and On-Premise ABAP Program Replacement Vulnerability

A vulnerability in SAP S/4HANA Cloud Private Edition and On-Premise versions, specifically within the SCM Master Data Layer (MDL), allows authenticated attackers with standard SAP authorization to remotely execute a function module that replaces arbitrary ABAP programs, including standard SAP programs. This vulnerability arises from inadequate input validation and the absence of authorization checks, leading to a high impact on the integrity and availability of the application, while only minimally affecting confidentiality.

Impact

Exploitation of this vulnerability could result in unauthorized modification of ABAP programs, including standard SAP programs, and disruption of application availability.

Remediation

Users are advised to review and implement the SAP Security Note associated with this vulnerability. This can be done through the SAP for Me platform, specifically in the Security Notes section. For details on the next SAP Security Patch Day, refer to the SAP Security Patch Day Bulletin.