Missing authentication check in SAP Commerce cloud configuration
Details
CVSS v3
9.6
Affected versions
Unpatched SAP Commerce Cloud deployments with improper Spring Security configuration
Summary
A missing authentication check in SAP Commerce Cloud's configuration endpoint allows unauthenticated remote attackers to upload malicious configuration files and inject arbitrary server-side code. Successful exploitation leads to full compromise of the application server, with complete impact to confidentiality, integrity, and availability of the entire deployment. SAP Commerce Cloud is widely used by large enterprise organizations for customer-facing e-commerce operations.
Remediation
Apply the official security patch from SAP as soon as possible. Restrict public network access to configuration endpoints via web application firewalls or access control lists until patching is complete. Monitor for unauthorized configuration changes and unusual outbound traffic from application servers to detect potential exploitation.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.