CVE-2026-24328
📋 TL;DR
CVE-2026-24328 is an open redirect vulnerability in SAP TAF_APPLAUNCHER within Business Server Pages that allows unauthenticated attackers to craft malicious links. When victims click these links, they are redirected to attacker-controlled sites, potentially exposing or altering sensitive information in their browser sessions. This affects SAP systems running vulnerable versions of Business Server Pages.
💻 Affected Systems
- SAP Business Server Pages
- SAP TAF_APPLAUNCHER
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could redirect authenticated users to phishing sites that steal session cookies or credentials, leading to account compromise and potential data exfiltration.
Likely Case
Users are tricked into visiting malicious sites through legitimate-looking SAP links, potentially leading to credential harvesting or malware distribution.
If Mitigated
With proper user awareness training and browser security controls, impact is limited to inconvenience from unexpected redirects.
🎯 Exploit Status
Open redirect vulnerabilities are commonly exploited in phishing campaigns; no authentication required makes exploitation straightforward
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to SAP Note 3688319 for specific patch versions
Vendor Advisory: https://me.sap.com/notes/3688319
Restart Required: Yes
Instructions:
1. Review SAP Note 3688319 for specific patch details. 2. Apply the SAP Security Patch Day updates. 3. Restart affected SAP services. 4. Verify the fix using the verification steps below.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side validation to reject URLs with external domains in redirect parameters
Implementation varies by SAP configuration; consult SAP documentation for custom validation rules
User Awareness Training
allEducate users about phishing risks and suspicious links
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block malicious redirect patterns
- Monitor for suspicious redirect patterns in application logs and user reports
🔍 How to Verify
Check if Vulnerable:
Test by attempting to redirect to external domains using the vulnerable TAF_APPLAUNCHER functionalityCheck Version:
Check SAP system version and applied patches via SAP transaction SPAM or SNOTEVerify Fix Applied:
After patching, test that redirects to external domains are properly blocked or sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual redirect patterns in web server logs
- Multiple failed redirect attempts to external domains
Network Indicators:
- HTTP 302 redirects to suspicious external domains from SAP application
SIEM Query:
source="sap_web_logs" AND (status=302 OR status=301) AND url CONTAINS "redirect" AND url CONTAINS "http://"