Missing Authorization Check in SAP Production and Revenue Accounting

Impact on Business

Successful exploitation of the vulnerability gives the attacker useful information that can be used in espionage campaigns or in building different exploitation chains based on it. This has a high impact on the confidentiality of the system and its business applications.

Vulnerability Details

A certain remote-enabled function module allows non-administrative authenticated users to access highly sensitive information. The vulnerable function module is part of the SAP Production and Revenue Accounting software component.

Solution

SAP has released SAP Note 3488341 which provides patched versions of the affected components.

The patches can be downloaded from https://me.sap.com/notes/3488341

Onapsis strongly recommends SAP customers to download the related security fixes and apply them to the affected components in order to reduce business risks.

Report Timeline

05/21/2024: Onapsis reports vulnerability to SAP
09/10/2024: SAP issues the patch

References

Onapsis blogpost: https://onapsis.com/blog/sap-patch-day-september-2024
CVE Mitre: https://www.cve.org/CVERecord?id=CVE-2024-45286
Vendor Patch: https://me.sap.com/notes/3488341

Back to Advisories

Advisory Information

Public Release Date: 09/10/2025
Security Advisory ID: ONAPSIS-2024-0059
Researcher(s): Cristian Scraba

Vulnerability Information

Vendor: SAP
Affected Components:
- SAP NetWeaver and ABAP Platform
- SAP Production and Revenue Accounting (IS-PRA) component
  (Check SAP Note 3488341 for detailed information on affected releases)
Vulnerability Class: CWE-862: Missing Authorization
CVSS v3 score: 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Risk Level: Medium
Assigned CVE: CVE-2024-45286
Vendor patch Information: SAP Security NOTE 3488341

Affected Components Description

S4CEXT 106 SP 01-06
S4CEXT 107 SP 01-04
S4CEXT 108 SP 01-02
IS-PRA 605 SP 16-25
IS-PRA 606 SP 15-33
IS-PRA 617 SP 08-28
IS-PRA 618 SP 07-22
IS-PRA 801
IS-PRA 802 SP 01-14
IS-PRA 803 SP 01-12
IS-PRA 804 SP 01-10
IS-PRA 805 SP 01-08

About our Research Labs

Onapsis Research Labs provides the industry analysis of key security issues that impact mission-critical systems and applications.

Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community.

Find all reported vulnerabilities at:
https://github.com/Onapsis/vulnerability_advisories

This advisory is licensed under a Creative Commons 4.0 BY-ND International License

Safeguarding Tomorrow: Empowering SAP Customers with Advanced Cyber Risk Management

Securing SAP Business Technology Platform (BTP)

The Book on Cybersecurity for SAP

Critical SAP Zero-Day Vulnerability Under Active Exploitation (CVE-2025-31324)

Your S/4HANA Cloud Journey