Get in Touch
SAP has disclosed a critical-level vulnerability, as part of its July 2023 security update, which contains a total of 18 patches. Tracked as CVE-2023-36922 (CVSSv3 score: 9.1), it pertains to an operating system (OS) command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL).
A full list of the disclosed security flaws can be found within the SAP Advisory.
Successful exploitation of CVE-2023-36922 allows an authenticated threat actor to inject arbitrary OS commands into an at-risk deployment.
Security patches for these vulnerabilities have been released by SAP. Previous product versions therefore remain vulnerable to potential exploitation.
SAP ECC and SAP S/4HANA (IS-OIL), versions: 600, 602, 603, 604, 605, 606, 617, 618, 800, 802, 803, 804, 805, 806, 807.
Containment, Mitigations & Remediations
It is strongly recommended that users of the affected products apply the relevant security patches as soon as possible. The patches can be found within the SAP Support Portal.
Indicators of Compromise
No specific Indicators of Compromise (IoC) are available currently.
SAP is the largest Enterprise Resource Planning (ERP) vendor in the world, occupying a significant portion of the total market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, SAP products have become a prime target. More than 90% of the Forbes Global 2000 organisations use the SAP product range and they are therefore an integral aspect of business operations. As such, threat actors will continue to exploit vulnerabilities contained within the associated products in an attempt to extract the sensitive data contained therein.
No attribution to specific threat actors or groups has been identified at the time of writing.
Common Weakness Enumeration:
CWE-78 – Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)