Vulnerabilities in SAP systems

For the seventh year in a row, edgescan has published its “Vulnerability Statistics Report“. The report is based on thousands of scans and Penetration tests conducted by edgescan in 2021. The report thus shows the current state of cybersecurity and provides insight into current trends and developments.

Like last year, some vulnerabilities for SAP systems are listed that are classified as critical.

Inadequate security configuration

The report shows that there are still a large number of systems whose SAP Message Server (MS) or SAP Gateway (GW) have not been protected by “Access Control Lists“. SAP has been offering this security feature for many years – but at the latest with the 10KBLAZE exploit, it has become the talk of the town and should be implemented by every SAP unit.

General vulnerabilities

The statistically largest number of discovered vulnerabilities are problems that do not originate directly from SAP, but could still be related to it. On many Linux-based operating systems, the old SSH-1 protocol is too often used. Inadequate Cipher Suites in SSL encryption also occur. These misconfigurations can of course also occur in connection with the operation of SAP systems.

Security gaps in SAP AS Java

Also noticeable are various security vulnerabilities that affect SAP AS Java and appear in large numbers. Exploits such as CVE-2020-6287 are mentioned, which allows configuration tasks to be executed without authentication. This then makes it possible to create administrative users, among other things. Also of interest is the gap CVE-2020-6286, which allows ZIP files to be downloaded without authorization.

Vulnerabilities remain open

The fact that patching and maintenance are still a challenge is a fundamental problem in cyber security. It shows that patching production systems is not always trivial. The statistics in this report also reflect this problem. Because again and again vulnerabilities are scanned for which a solution has been available for years.

Tönjes Consulting will be happy to help you identify these vulnerabilities in your system. Please write to us:


SAP Patchday - Tönjes Consulting GmbH

Use the SecurityBridge SAP Patch Management, to never miss an important update for your SAP system again!

Contact us to learn more about SecruityBridge!


Contact us!