Home / Threat Intelligence bulletins / SAP July 2023 security update 

Target Industry 

Energy sector. 


SAP has disclosed a critical-level vulnerability, as part of its July 2023 security update, which contains a total of 18 patches. Tracked as CVE-2023-36922 (CVSSv3 score: 9.1), it pertains to an operating system (OS) command injection vulnerability in SAP ECC and SAP S/4HANA (IS-OIL). 

 A full list of the disclosed security flaws can be found within the SAP Advisory. 


Successful exploitation of CVE-2023-36922 allows an authenticated threat actor to inject arbitrary OS commands into an at-risk deployment.  

 Vulnerability Detection 

Security patches for these vulnerabilities have been released by SAP. Previous product versions therefore remain vulnerable to potential exploitation. 

Affected Products 

SAP ECC and SAP S/4HANA (IS-OIL), versions: 600, 602, 603, 604, 605, 606, 617, 618, 800, 802, 803, 804, 805, 806, 807. 

Containment, Mitigations & Remediations 

It is strongly recommended that users of the affected products apply the relevant security patches as soon as possible. The patches can be found within the SAP Support Portal. 

Indicators of Compromise 

No specific Indicators of Compromise (IoC) are available currently. 

Threat Landscape 

SAP is the largest Enterprise Resource Planning (ERP) vendor in the world, occupying a significant portion of the total market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, SAP products have become a prime target. More than 90% of the Forbes Global 2000 organisations use the SAP product range and they are therefore an integral aspect of business operations. As such, threat actors will continue to exploit vulnerabilities contained within the associated products in an attempt to extract the sensitive data contained therein. 

Threat Group 

No attribution to specific threat actors or groups has been identified at the time of writing.  

Mitre Methodologies 

Common Weakness Enumeration: 

CWE-78 – Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) 


An Intelligence Terminology Yardstick to showing the likelihood of events