sap security advisories

22 threat alerts tracking vulnerabilities and security advisories that affect sap products.

Vulnios monitors sap CVE feeds, vendor advisories, CISA KEV listings, and exploit-prediction data continuously. Each alert below is enriched with severity, exploitation status, affected products, and a remediation path. Use this page to scan recent sap security news in one place, or click into an individual alert for full detail.

Critical Vulnerability: CVE-2016-7435 — sap — netweaver
The (1) SCTC_REFRESH_EXPORT_TAB_COMP, (2) SCTC_REFRESH_CHECK_ENV, and (3) SCTC_TMS_MAINTAIN_ALOG functions in the SCTC subpackage in SAP Netweaver 7.40 SP 12 allow remote authenticated users with cert
criticalCVE-2016-7435
Critical Vulnerability: CVE-2016-6137 — sap — trex
An unspecified function in SAP TREX 7.10 Revision 63 allows remote attackers to execute arbitrary OS commands via unknown vectors, aka SAP Security Note 2203591.
criticalCVE-2016-6137
Critical Vulnerability: CVE-2016-6139 — sap — trex
SAP TREX 7.10 Revision 63 allows remote attackers to read arbitrary files via unspecified vectors, aka SAP Security Note 2203591.
criticalCVE-2016-6139
Critical Vulnerability: CVE-2016-6138 — sap — trex
Directory traversal vulnerability in SAP TREX 7.10 Revision 63 allows remote attackers to read arbitrary files via unspecified vectors, aka SAP Security Note 2203591.
criticalCVE-2016-6138
Critical Vulnerability: CVE-2016-6147 — sap — trex
An unspecified interface in SAP TREX 7.10 Revision 63 allows remote attackers to execute arbitrary OS commands with SIDadm privileges via unspecified vectors, aka SAP Security Note 2234226.
criticalCVE-2016-6147
Critical Vulnerability: CVE-2016-6150 — sap — hana
The multi-tenant database container feature in SAP HANA does not properly encrypt communications, which allows remote attackers to bypass intended access restrictions and possibly have unspecified oth
criticalCVE-2016-6150
Critical Vulnerability: CVE-2016-6140 — sap — trex
SAP TREX 7.10 Revision 63 allows remote attackers to write to arbitrary files via vectors related to RFC-Gateway, aka SAP Security Note 2203591.
criticalCVE-2016-6140
Critical Vulnerability: CVE-2016-3974 — sap — netweaver_application_server_java
XML external entity (XXE) vulnerability in the Configuration Wizard in SAP NetWeaver Java AS 7.1 through 7.5 allows remote attackers to cause a denial of service, conduct SMB Relay attacks, or access
criticalCVE-2016-3974
Critical Vulnerability: CVE-2016-1928 — sap — hana
Buffer overflow in the XS engine (hdbxsengine) in SAP HANA allows remote attackers to cause a denial of service or execute arbitrary code via a crafted HTTP request, related to JSON, aka SAP Security
criticalCVE-2016-1928
Critical Vulnerability: CVE-2016-1929 — sap — hana
The XS engine in SAP HANA allows remote attackers to spoof log entries in trace files and consequently cause a denial of service (disk consumption and process crash) via a crafted HTTP request, relate
criticalCVE-2016-1929
Critical Vulnerability: CVE-2015-8753 — sap — afaria
SAP Afaria 7.0.6001.5 allows remote attackers to bypass authorization checks and wipe or lock mobile devices via a crafted request, related to "Insecure signature," aka SAP Security Note 2134905.
criticalCVE-2015-8753
Critical Vulnerability: CVE-2017-16684 — sap — business_intelligence_promotion_management_application
SAP Business Intelligence Promotion Management Application, Enterprise 4.10, 4.20, and 4.30, does not perform authentication checks for functionalities that require user identity.
criticalCVE-2017-16684
Critical Vulnerability: CVE-2017-15293 — sap — point_of_sale_xpress_server
Xpress Server in SAP POS does not require authentication for file read and erase operations, daemon shutdown, terminal read operations, or certain attacks on credentials. This is SAP Security Note 252
criticalCVE-2017-15293
Critical Vulnerability: CVE-2017-15295 — sap — point_of_sale_xpress_server
Xpress Server in SAP POS does not require authentication for read/write/delete file access. This is SAP Security Note 2520064.
criticalCVE-2017-15295
Critical Vulnerability: CVE-2015-7241 — sap — netweaver
XML External Entity (XXE) vulnerability in SAP Netweaver before 7.01.
criticalCVE-2015-7241
Critical Vulnerability: CVE-2017-11459 — sap — trex
SAP TREX 7.10 allows remote attackers to (1) read arbitrary files via an fget command or (2) write to arbitrary files and consequently execute arbitrary code via an fdir command, aka SAP Security Note
criticalCVE-2017-11459
Critical Vulnerability: CVE-2016-6256 — sap — business_one
SAP Business One for Android 1.2.3 allows remote attackers to conduct XML External Entity (XXE) attacks via crafted XML data in a request to B1iXcellerator/exec/soap/vP.001sap0003.in_WCSX/com.sap.b1i.
criticalCVE-2016-6256
Critical Vulnerability: CVE-2016-6143 — sap — hana
SAP HANA DB 1.00.73.00.389160 allows remote attackers to execute arbitrary code via vectors involving the audit logs, aka SAP Security Note 2170806.
criticalCVE-2016-6143
Critical Vulnerability: CVE-2016-6818 — sap — business_intelligence_platform
SQL injection vulnerability in SAP Business Intelligence platform before January 2017 allows remote attackers to obtain sensitive information, modify data, cause a denial of service (data deletion), o
criticalCVE-2016-6818
Critical Vulnerability: CVE-2017-7691 — sap — trex
A code injection vulnerability exists in SAP TREX / Business Warehouse Accelerator (BWA). The vendor response is SAP Security Note 2419592.
criticalCVE-2017-7691
Critical Vulnerability: CVE-2016-10311 — sap — netweaver
Stack-based buffer overflow in SAP NetWeaver 7.0 through 7.5 allows remote attackers to cause a denial of service () by sending a crafted packet to the SAPSTARTSRV port, aka SAP Security Note 2295238.
criticalCVE-2016-10311
Critical Vulnerability: CVE-2017-6950 — sap — gui_for_windows
SAP GUI 7.2 through 7.5 allows remote attackers to bypass intended security policy restrictions and execute arbitrary code via a crafted ABAP code, aka SAP Security Note 2407616.
criticalCVE-2017-6950

Track sap exposure across your environment

Vulnios automatically cross-references your asset inventory against new sap CVEs and surfaces only what affects you. No more sifting manually — actionable findings only.

Start a free scan

sap security advisories

Critical Vulnerability: CVE-2016-7435 — sap — netweaver

Critical Vulnerability: CVE-2016-6137 — sap — trex

Critical Vulnerability: CVE-2016-6139 — sap — trex

Critical Vulnerability: CVE-2016-6138 — sap — trex

Critical Vulnerability: CVE-2016-6147 — sap — trex

Critical Vulnerability: CVE-2016-6150 — sap — hana

Critical Vulnerability: CVE-2016-6140 — sap — trex

Critical Vulnerability: CVE-2016-3974 — sap — netweaver_application_server_java

Critical Vulnerability: CVE-2016-1928 — sap — hana

Critical Vulnerability: CVE-2016-1929 — sap — hana

Critical Vulnerability: CVE-2015-8753 — sap — afaria

Critical Vulnerability: CVE-2017-16684 — sap — business_intelligence_promotion_management_application

Critical Vulnerability: CVE-2017-15293 — sap — point_of_sale_xpress_server

Critical Vulnerability: CVE-2017-15295 — sap — point_of_sale_xpress_server

Critical Vulnerability: CVE-2015-7241 — sap — netweaver

Critical Vulnerability: CVE-2017-11459 — sap — trex

Critical Vulnerability: CVE-2016-6256 — sap — business_one

Critical Vulnerability: CVE-2016-6143 — sap — hana

Critical Vulnerability: CVE-2016-6818 — sap — business_intelligence_platform

Critical Vulnerability: CVE-2017-7691 — sap — trex

Critical Vulnerability: CVE-2016-10311 — sap — netweaver

Critical Vulnerability: CVE-2017-6950 — sap — gui_for_windows

Track sap exposure across your environment