Search

Decoding SAP Vulnerability Advisories: Key Insights and Actions for Improved Security

By: Pablo Artuso
January 9, 2025

Over the last decade, our team has identified and helped patch a significant number of vulnerabilities in SAP products. In 2024 alone, we worked closely with SAP to address more than 50 flaws, further solidifying our commitment to making these business-critical environments more secure. Our track record of SAP Cybersecurity over the past ten years highlights not just the expertise of our team, but also the value of sustained collaboration between researchers and SAP in protecting organizations worldwide. 

When it comes to releasing security advisories, we adhere strictly to SAP’s coordinated vulnerability disclosure policies. After discovering a vulnerability, we provide the details to SAP to help them identify  the root cause as quickly as possible. Once the patch is publicly released, we don’t publish any information about it for at least three more months, ensuring users have sufficient time to deploy and implement these patches. After this embargo period, we share only the details needed to help organizations understand and evaluate the vulnerability’s impact on their systems. Our primary goal is to educate and protect, not inadvertently equip malicious actors with the tools to exploit these flaws.  

Releasing security advisories to the public is a common and critical practice in the cybersecurity industry. Public advisories provide organizations with helpful insights for developing detection mechanisms, implementing mitigations, and gaining a clearer understanding of the broader security landscape. However, as with any information, balance is key. Disclosures that are too detailed can unintentionally aid attackers in creating proof-of-concept exploits or operational attack tools. By carefully curating the content of our advisories, we ensure they are useful to defenders without crossing this line.  

At Onapsis, SAP security is at the heart of everything we do. By continuing to identify vulnerabilities and responsibly share our findings, we aim to contribute to a safer ecosystem for all SAP users. We remain steadfast in our commitment to transparency and collaboration, ensuring that every vulnerability we uncover helps build a more secure future. You can regularly read about SAP vulnerability patching and how the Onapsis Research Labs team contributes in our monthly Patch Tuesday updates.

About the Author
Pablo Artuso
Pablo 'Partu' Agustin Artuso is a skilled security researcher with expertise in identifying vulnerabilities and improving the security of business-critical applications. With a strong background in cybersecurity and a focus on systems like SAP, he has contributed to enhancing organizational resilience. His technical proficiency and hands-on experience have positioned him as a key player in the field of enterprise security. During his time at Onapsis he has been selected to speak at Black Hat USA, Ekoparty, and was the lead researcher in the discovery of the family of vulnerabilities dubbed P4CHAINS.
More about this author
Back to Blog
Further Reading
2024 Wrapped: Most Viewed Blogs
Onapsis recaps the most viewed blogs of 2024 around SAP security, Onapsis news, and SAP Patch Day.
Read More
SAP and Onapsis Partner to Help Customers Detect and Respond to Cybersecurity Incidents
With cybersecurity data breaches and ransomware attacks on the rise, it is increasingly important to have a plan in place...
Read More
SAP Patch Day: December 2024
Our team supported SAP in patching four vulnerabilities in December covered with two Notes, including the only HotNews Note...
Read More