SAP ECC and S/4HANA Missing Authorization Check Vulnerability Allowing Credential Extraction and Bypassing Authentication

A vulnerability exists in SAP ERP Central Component (ECC) and SAP S/4HANA (EHS Management) due to a missing authorization check. This flaw allows an attacker to extract hardcoded clear-text credentials and bypass password authentication by manipulating user parameters. Successful exploitation enables access to, modification of, or deletion of certain change pointer information within EHS objects, potentially affecting subsequent systems. The vulnerability has a low impact on the application's confidentiality and integrity, with no effect on availability.

Impact

Exploitation of this vulnerability could lead to unauthorized access to hardcoded clear-text credentials, allowing attackers to bypass password authentication and manipulate change pointer information within EHS objects, with possible repercussions on connected systems.

Remediation

Users are advised to consult the SAP Security Notes for guidance on applying necessary patches. SAP Security Patch Day occurs on the second Tuesday of each month, when SAP releases security updates. For more information, refer to the SAP Security Notes FAQ.