When are your SAP Systems most Vulnerable to Cyber Attack?

The short answer to this question is 'on the second Tuesday of every month'. This is known in the SAP world as Security Patch Day and it is the day that all new security related SAP Notes (patches or fixes) are made available to be applied to your systems.

The unfortunate truth is that when a patch is made available you are at your most vulnerable, by virtue of the fact that the vulnerability has now entered into the public domain.

It is not unusual therefore to find that code designed to exploit SAP vulnerabilities also appear on the Internet shortly after Security Patch Day that would allow unscrupulous people to attack your systems, data, and business. For instance, it was reported that the number of attempts to exploit the Log4j vulnerability within a couple of days of it being made public were in the millions, of course not all aimed at SAP systems, but it stresses the point.

It is therefore imperative that your security team actively look at the Security Notes released on Security Patch Day and pay special attention to the CVSS (Common Severity Scoring System) score that accompanies each SAP Security Note.

The CVSS score denotes the severity of the vulnerability with the highest range being 9 - 10, what SAP refer to as 'Hot News'.


Vulnerability Severity CVSS v3 Base score
Low 0.1 – 3.9
Medium 4.0 – 6.9
High 7.0 – 8.9
Critical (Hot News) 9.0 – 10.0

Keeping up to date with SAP Notes and ensuring that your systems are patched accordingly can be problematic often leading companies to being critically and unknowingly exposed. The best practice is to use specialist vulnerability scanning software to highlight and remediate missing patches and to also check for other vulnerabities such as system misconfigurations, open accounts, or insecure interfaces.

What exactly is CVSS?

  • CVSS (Common Vulnerability Scoring System) is used to communicate the severity and characteristics of vulnerabilities found within a software product, such as an operating system, application, security products or database.
  • CVSS is an open, vendor-neutral, technology-independent framework, now in it’s third iteration (Version 3.1), and is widely used by all major software vendors, including SAP who use it to assess the risks and severity of their SAP Security Notes.
  • Scores range from 0 to 10 (with 10 being the highest severity) and are calculated based upon a formula that assesses several metrics, as described in more details below).
  • SAP Release new security notes on the second Tuesday of the every month ('Security Patch Day') with each new vulnerability given a CVSS score.

Below is an example of the recent Log4j SAP Note which has a CVSS Score of 10


For those who want to know a little bit more the metrics that contribute to the final CVSS score then please read on ...

The final CVSS score for any particular vulnerability is derived at by using a formula that combines the following metrics;

Access Vector (AV) - describes how a vulnerability may be exploited, for instance, in terms of the level of network access required.

Access Complexity (AC) - denotes how easy or difficult it is to exploit the vulnerability. This could be low or high.

Privileges Required (PR) - describes the level of access required for an attacker to mount a successful attack. This could be none, low, or high.

User Interaction (UI) - This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable component. The Base Score is greatest when no user interaction is required.

Scope (S) - The Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope. For instance, could the vulnerability of an application using a shared database be exploited to the extent of causing a vulnerability in the database itself, which would be in a different, or ‘changed’ security scope. The values could be ‘changed’ or ‘unchanged’.

Confidentiality Impact (C) - This metric measures the impact to the confidentiality of the information or data in the system - would it still only be accessible by authorised users or could unauthorised users also gain access to it? This could be High (all confidentiality is lost), Low (some confidentiality is lost) or None (No confidentiality is lost).

Integrity Impact (I) - This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to how much trust you can place on your information. This could be High (a total loss of integrity enabling a hacker to modify any files protected by the impacted component), Low (data modification is possible but limited) or None (No loss of integrity).

Availability Impact (A) - This metric measures the impact to the availability information resources. Attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of an impacted component. This could be High (a total loss of availability), Low (availability is reduced in performance ) or None (No loss of availability).

Full specification details of CVSS V3 and how the equation used to generate the final CVSS score can be found at: https://www.first.org/cvss/specification-document)

If you would like to learn more about, or start a free trial of our Automated SAP Vulnerability Scanning and Remediation software then please contact us at info@greymonarch.com or complete the contact form via the below link.

What Now? ...

Learn More about our SAP Vulnerability Scanning and Remediation

Contact Us