📄 Description (English)
SAP Solution Tools Plug-In (ST-PI) contains a function module that does not perform the necessary authorization checks for authenticated users, allowing sensitive information to be disclosed. This vulnerability has a high impact on confidentiality and does not affect integrity or availability.
🤖 AI Executive Summary
SAP Solution Tools Plug-In (ST-PI) versions 7.40, 7.58, 2008_1_700, and 2008_1_710 contain an authorization bypass vulnerability (CWE-862) allowing authenticated users to access sensitive information without proper permission checks. With a CVSS score of 7.7, this poses a significant confidentiality risk to Saudi organizations running SAP systems. Immediate patching is recommended as the vulnerability affects multiple widely-deployed SAP versions across critical business processes.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 29, 2026 15:33
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi banking sector (SAMA-regulated institutions), government agencies (NCA oversight), and large enterprises using SAP for ERP operations. Saudi Aramco and energy sector organizations running ST-PI are particularly vulnerable. The authorization bypass could expose sensitive financial data, operational information, and customer records. Government entities managing critical infrastructure and financial institutions processing payments through SAP systems face elevated confidentiality breach risks. Telecom operators (STC, Mobily) and healthcare providers using SAP for administrative functions are also at risk of unauthorized data disclosure.
🏢 Affected Saudi Sectors
Banking and Financial Services
Government and Public Administration
Energy and Utilities
Healthcare
Telecommunications
Manufacturing
Retail and E-commerce
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
7.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all SAP systems running ST-PI versions 7.40, 7.58, 2008_1_700, or 2008_1_710 across your organization
2. Restrict access to ST-PI function modules to only authorized personnel pending patch deployment
3. Review recent access logs for ST-PI modules to identify potential unauthorized access
4. Implement additional monitoring on ST-PI transactions and data access
PATCHING GUIDANCE:
1. Apply SAP security patches immediately upon availability from SAP Support Portal
2. Test patches in non-production environments first
3. Schedule maintenance windows for production system updates
4. Verify patch installation by checking ST-PI version numbers post-deployment
COMPENSATING CONTROLS (if patching delayed):
1. Implement role-based access control (RBAC) restrictions at SAP application level
2. Disable ST-PI function modules not required for business operations
3. Deploy SAP Gateway security policies to restrict ST-PI access
4. Implement network-level access controls limiting ST-PI connectivity
DETECTION RULES:
1. Monitor for unauthorized ST-PI function module calls in SAP audit logs (transaction SM37, AL11)
2. Alert on access to sensitive tables via ST-PI by non-privileged users
3. Track failed authorization checks in SAP security audit logs
4. Monitor for unusual data extraction patterns from ST-PI modules
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع أنظمة SAP التي تعمل بإصدارات ST-PI 7.40 و 7.58 و 2008_1_700 أو 2008_1_710 عبر المنظمة
2. تقييد الوصول إلى وحدات ST-PI للموظفين المصرح لهم فقط في انتظار نشر التصحيح
3. مراجعة سجلات الوصول الأخيرة لوحدات ST-PI لتحديد الوصول غير المصرح به المحتمل
4. تنفيذ مراقبة إضافية على معاملات ST-PI والوصول إلى البيانات
إرشادات التصحيح:
1. تطبيق تصحيحات أمان SAP فوراً عند توفرها من بوابة دعم SAP
2. اختبار التصحيحات في بيئات غير الإنتاج أولاً
3. جدولة نوافذ الصيانة لتحديثات نظام الإنتاج
4. التحقق من تثبيت التصحيح بفحص أرقام إصدار ST-PI بعد النشر
الضوابط البديلة (إذا تأخر التصحيح):
1. تنفيذ قيود التحكم في الوصول القائمة على الأدوار (RBAC) على مستوى تطبيق SAP
2. تعطيل وحدات ST-PI غير المطلوبة للعمليات التجارية
3. نشر سياسات أمان بوابة SAP لتقييد وصول ST-PI
4. تنفيذ ضوابط الوصول على مستوى الشبكة التي تحد من اتصالية ST-PI
قواعد الكشف:
1. مراقبة استدعاءات وحدة ST-PI غير المصرح بها في سجلات تدقيق SAP (المعاملة SM37 و AL11)
2. التنبيه على الوصول إلى الجداول الحساسة عبر ST-PI من قبل المستخدمين غير المميزين
3. تتبع فحوصات التفويض الفاشلة في سجلات تدقيق أمان SAP
4. مراقبة أنماط استخراج البيانات غير العادية من وحدات ST-PI
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 Control 5.1.1 - Access Control and Authorization
ECC 2024 Control 5.1.2 - User Access Management
ECC 2024 Control 5.2.1 - Information Classification and Handling
ECC 2024 Control 6.1.1 - Vulnerability Management
🔵 SAMA CSF
SAMA CSF ID.AM-2 - Software and Hardware Inventory
SAMA CSF PR.AC-1 - Access Control Policy
SAMA CSF PR.AC-4 - Access Rights and Privileges
SAMA CSF DE.CM-1 - Asset Monitoring and Control
🟡 ISO 27001:2022
ISO 27001:2022 A.5.3 - Segregation of Duties
ISO 27001:2022 A.8.2 - User Access Management
ISO 27001:2022 A.8.3 - User Responsibilities
ISO 27001:2022 A.9.2 - User Access Rights
🟣 PCI DSS v4.0.1
PCI DSS 7.1 - Limit Access to System Components
PCI DSS 7.2 - Establish Access Control Mechanisms
PCI DSS 10.2 - Implement User Identification and Authentication
📦 Affected Products / CPE 4 entries
sap:solution_tools_plug-in:740
sap:solution_tools_plug-in:758
sap:solution_tools_plug-in:2008_1_700
sap:solution_tools_plug-in:2008_1_710