SAP Patch Day Bulletin - 2025

SAP Security Patch Day – January 2025

This post shares information on Security Notes that remediate vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on priority to protect their SAP landscape.

On 14th of January 2025, SAP Security Patch Day saw the release of 14 new Security Notes.

Note#

Title

Severity

CVSS

3537476

[CVE-2025-0070] Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform

Product- SAP NetWeaver Application Server for ABAP and ABAP Platform, Versions – KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, 8.04, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 7.97, 8.04, 9.12, 9.13, 9.14

Critical

9.9

3550708

[CVE-2025-0066] Information Disclosure vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform(Internet Communication Framework)

Product- SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework), Versions – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 912, SAP_BASIS 913, SAP_BASIS 914

Critical

9.9

3550816

[CVE-2025-0063] SQL Injection vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform

Product – SAP NetWeaver AS ABAP and ABAP Platform, Version – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758

High

8.8

3474398

[CVE-2025-0061] Multiple vulnerabilities in SAP BusinessObjects Business Intelligence Platform

Additional CVE - CVE-2025-0060

Product- SAP BusinessObjects Business Intelligence Platform, Versions – ENTERPRISE 420, 430, 2025

High

8.7

3542533

[CVE-2025-0069] DLL Hijacking vulnerability in SAPSetup

Product- SAPSetup, Version – LMSAPSETUP 9.0

High

7.8

3542698

[CVE-2025-0058] Information Disclosure vulnerability in SAP Business Workflow and SAP Flexible Workflow
Product - SAP Business Workflow and SAP Flexible Workflow, Version – SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 912, SAP_BASIS 913, SAP_BASIS 914

Medium

6.5

3540108

[CVE-2025-0067] Missing Authorization check in SAP NetWeaver Application Server Java

Product- SAP NetWeaver Application Server Java, Version – WD-RUNTIME 7.50

Medium

6.3

3472837

[CVE-2025-0055] Information Disclosure vulnerability in SAP GUI for Windows

Product- SAP GUI for Windows, Versions – BC-FES-GUI 8.0

Medium

6.0

3502459

[CVE-2025-0056] Information Disclosure vulnerability in SAP GUI for Java

Product- SAP GUI for Java, Versions – BC-FES-JAV 7.80

Medium

6.0

3503138

[CVE-2025-0059] Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)

Product- SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML), Versions – KRNL64UC 7.53, KERNEL 7.53, 7.54, 7.77, 7.89, 7.93, 9.12, 9.14

Medium

6.0

3536461

[CVE-2025-0053] Information Disclosure Vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform

Product- SAP NetWeaver Application Server for ABAP and ABAP Platform, Version – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757

Medium

5.3

3514421

[CVE-2025-0057] Cross-Site Scripting vulnerability in SAP NetWeaver AS JAVA (User Admin Application)
Product - SAP NetWeaver AS JAVA (User Admin Application), Version - ENGINEAPI 7.50, SERVERCORE 7.50, UMEADMIN 7.50

Medium

4.8

3550674

[CVE-2025-0068] Missing Authorization check in Remote Function Call (RFC) in SAP NetWeaver Application Server ABAP
Product - SAP NetWeaver Application Server ABAP, Versions - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758

Medium

4.3

3492169(opens in new tab)

Multiple Buffer overflow vulnerabilities in SAP BusinessObjects Business Intelligence Platform (Crystal Reports for Enterprise)

Related CVEs -  CVE-2024-29131CVE-2024-29133
Product - SAP BusinessObjects Business Intelligence Platform (Crystal Reports for Enterprise), Version - ENTERPRISE 430

Low2.2

SAP Security Patch Day - February 2025

This post shares the information on Security Notes that remediate vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on priority to protect their SAP landscape.

On 11th of February 2025, SAP Security Patch Day saw the release of 19 new Security Notes. Further, there were 2 updates to previously released Security Notes.

Note#

Title

Priority

CVSS

3417627

Update to Security Note released on February 2024 Patch Day:

[CVE-2024-22126] Cross Site Scripting vulnerability in NetWeaver AS Java (User Admin Application)

Product- SAP NetWeaver AS Java (User Admin Application), Version – 7.50

High

8.8

3525794

[CVE-2025-0064] Improper Authorization in SAP BusinessObjects Business Intelligence platform (Central Management Console)

Product- SAP BusinessObjects Business Intelligence platform (Central Management Console), Versions – ENTERPRISE 430, 2025

High

8.7

3567551

[CVE-2025-25243] Path traversal vulnerability in SAP Supplier Relationship Management (Master Data Management Catalog)
Product - SAP Supplier Relationship Management (Master Data Management Catalog), Version - SRM_MDM_CAT 7.52

High

8.6

3567974

[CVE-2025-24876] Authentication bypass via authorization code injection in SAP Approuter
Library - @sap/approuter, Version - 2.6.1 to 16.7.1

High

8.1

3567172

[CVE-2024-38819] Multiple vulnerabilities in SAP Enterprise Project Connection

Related CVEs -  CVE-2024-38820, CVE-2024-38828
Product - SAP Enterprise Project Connection, Version – 3.0

High

7.5

3563929

[CVE-2025-24868] Open Redirect Vulnerability in SAP HANA extended application services, advanced model (User Account and Authentication Services)
Product - SAP HANA extended application services, advanced model (User Account and Authentication Services), Version - SAP_EXTENDED_APP_SERVICES 1

High

7.1

3555364

[CVE-2025-24875] SameSite Defense in Depth not applied for some cookies in SAP Commerce

Product- SAP Commerce, Versions – HY_COM 2205, COM_CLOUD 2211

Medium

6.8

3559510

[CVE-2025-24874] Missing Defense in Depth Against Clickjacking in SAP Commerce (Backoffice)

Product – SAP Commerce (Backoffice), Version – HY_COM 2205, COM_CLOUD 2211

Medium

6.8

3557138

Update 1 to Security Note 3417627 - [CVE-2024-22126] Cross Site Scripting vulnerability in NetWeaver AS Java (User Admin Application)

Product- SAP NetWeaver AS Java (User Admin Application), Version – 7.50

Medium

6.1

3445708

[CVE-2025-24867] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform (BI Launchpad)

Product- SAP BusinessObjects Platform (BI Launchpad), Version – ENTERPRISE 430, 2025

Medium

6.1

3562336

[CVE-2025-24870] Insecure Key & Secret Management vulnerability in SAP GUI for Windows

Product- SAP GUI for Windows, Version – BC-FES-GUI 8.00

Medium

6.0

3540273

Multiple vulnerabilities in Apache Solr within SAP Commerce Cloud

Related CVEs -  CVE-2024-45216, CVE-2024-45217
Product - SAP Commerce Cloud,

Versions – HY_COM 2205, COM_CLOUD 2211

Medium

5.5

3526203

[CVE-2025-0054] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server Java

Product- SAP NetWeaver Application Server Java, Versions – EP-BASIS 7.50, FRAMEWORK-EXT 7.50

Medium

5.4

3532025

[CVE-2025-25241] Missing Authorization check in SAP Fiori Apps Reference Library (My Overtime Requests)

Product- SAP Fiori Apps Reference Library (My Overtime Requests), Version – GBX01HR5 605

Medium

5.4

3546470

[CVE-2025-23187] Missing Authorization Check in SAP NetWeaver and ABAP Platform (SDCCN)

Related CVE -  CVE-2025-23189

Product- SAP NetWeaver and ABAP Platform (SDCCN), Versions – ST-PI 2008_1_700, ST-PI 2008_1_710, ST-PI 740

Medium

5.3

3561264

[CVE-2025-23193] Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP

Product- SAP NetWeaver Server ABAP, Versions – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758

Medium

5.3

3287784

Update to Security Note released on April 2023 Patch Day:

[CVE-2023-24527] Improper Access Control in SAP NetWeaver AS Java for Deploy Service

Product- SAP NetWeaver AS Java for Deploy Service, Version – ENGINEAPI 7.50, SERVERCORE 7.50

Medium

5.3

3550027

[CVE-2025-24869] Information Disclosure vulnerability in SAP NetWeaver Application Server Java
Product - SAP NetWeaver Application Server Java, Version - WD-RUNTIME 7.50

Medium

4.3

3553753

[CVE-2025-24872] Missing Authorization check in SAP ABAP Platform (ABAP Build Framework)
Product - SAP ABAP Platform (ABAP Build Framework), Versions - SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758

Medium

4.3

3547581

[CVE-2025-23190] Missing Authorization check in SAP NetWeaver and ABAP platform (ST-PI)
Product - SAP NetWeaver and ABAP platform (ST-PI), Version - ST-PI 2008_1_700, ST-PI 2008_1_710, ST-PI 740

Medium

4.3

3426825

[CVE-2025-23191] Cache Poisoning through header manipulation vulnerability in SAP Fiori for SAP ERP
Product - SAP Fiori for SAP ERP, Version - SAP_GWFND 740, 750, 751, 752, 753, 754, 755, 756, 757, 758

Low

3.1

SAP Security Patch Day - March 2025

This post shares the information on Security Notes that remediate vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on priority to protect their SAP landscape.

On 11th of March 2025, SAP Security Patch Day saw the release of 21 new Security Notes plus 1 Security Note without CVSS because it's just an advisory. Further, there were 3 updates to previously released Security Notes.

 

Note#

Title

Priority

CVSS

3569602

[CVE-2025-27434] Cross-Site Scripting (XSS) vulnerability in SAP Commerce (Swagger UI)

Product- SAP Commerce (Swagger UI), Version – COM_CLOUD 2211

High

8.8

3563927

[CVE-2025-26661] Missing Authorization check in SAP NetWeaver (ABAP Class Builder)

Product- SAP NetWeaver (ABAP Class Builder), Versions – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 914

High

8.8

3566851

[CVE-2024-38286] Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud

Related CVE - CVE-2024-52316
Product -SAP Commerce Cloud, Version -HY-COM 2205, COM-CLOUD 2211

High

8.6

3567974

Update to Security Note released on February 2025 Patch Day:

[CVE-2025-24876] Authentication bypass via authorization code injection in SAP Approuter
Library - @sap/approuter, Version - 2.6.1 to 16.7.1

High

8.1

3483344

Update to Security Note released on July 2024 Patch Day:

[CVE-2024-39592] Missing Authorization check in SAP PDCE
Product - SAP PDCE, Version – S4CORE 102, 103, S4COREOP 104, 105, 106, 107, 108

High

7.7

3561045

[CVE-2025-26658] Broken Authentication in SAP Business One (Service Layer)
Product - SAP Business One (Service Layer), Version - B1_ON_HANA 10.0, SAP-M-BO 10.0

Medium

6.8

3552824

[CVE-2025-26659] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)

Product- SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML), Versions – KRNL64UC 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.89, KERNEL 7.93, KERNEL 9.14

Medium

6.1

3562390

[CVE-2025-25242] Cross-Site Scripting (XSS) in SAP NetWeaver Application Server ABAP

Product- SAP NetWeaver Application Server ABAP, Version – SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 914

Medium

6.1

3552144

[CVE-2025-25244] Missing Authorization Check in SAP Business Warehouse (Process Chains)

Product – SAP Business Warehouse (Process Chains), Version – DW4CORE 100, DW4CORE 200, DW4CORE 300, DW4CORE 400, DW4CORE 914, SAP_BW 730, SAP_BW 731, SAP_BW 740, SAP_BW 750

Medium

5.7

3567246

[CVE-2025-27431] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server Java

Product- SAP NetWeaver Application Server Java, Version – AJAX-RUNTIME 7.50

Medium

5.4

3557469

[CVE-2025-25245] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence)

Product- SAP BusinessObjects Business Intelligence Platform (Web Intelligence), Version – ENTERPRISE 430, 2025

Medium

5.4

3561792

[CVE-2025-23194] Missing Authentication check in SAP NetWeaver Enterprise Portal (OBN component)

Product- SAP NetWeaver Enterprise Portal (OBN component), Version – EP-RUNTIME 7.50

Medium

5.3

3558132

[CVE-2025-0071] Information Disclosure vulnerability in SAP Web Dispatcher and Internet Communication Manager

Product- SAP Web Dispatcher and Internet Communication Manager, Versions – KRNL64UC 7.53, WEBDISP 7.53, WEBDISP 7.54, WEBDISP 7.77, WEBDISP 7.89, WEBDISP 7.93, KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.89, KERNEL 7.93, KERNEL 9.14

Medium

4.9

3557459

[CVE-2025-0062] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence)

Product- SAP BusinessObjects Business Intelligence Platform, Version – ENTERPRISE 430, 2025, ENTERPRISECLIENTTOOLS 430, 2025

Medium

4.7

3565835

[CVE-2025-27433] Broken Access Control vulnerabilities in SAP S/4HANA (Manage Bank Statements)

Related CVE -  CVE-2025-27436

Product- SAP S/4HANA (Manage Bank Statements), Versions – S4CORE 107, S4CORE 108

Medium

4.3

3557131

[CVE-2025-23188] Missing Authorization check in SAP S/4HANA (RBD)

Product- SAP S/4HANA (RBD), Versions – S4CORE 102, 103, 104, 105, 106, 107, 108, EA-FINSERV 618, EA-FINSERV 800

Medium

4.3

3557655

[CVE-2025-26660] Broken Access Control in SAP Fiori apps (Posting Library)

Product- SAP Fiori apps (Posting Library), Version – S4CORE 103, 104, 105, 106, 107, 108

Medium

4.3

3474392

[CVE-2025-26656] Missing Authorization check in S/4HANA (Manage Purchasing Info Records)
Product - S/4HANA On-Premise, Version - S4CORE 105, 106, 107, 108

Medium

4.3

3475427

Update to Security Note released on August 2024 Patch Day:

[CVE-2024-41736] Information Disclosure vulnerability in SAP Permit to Work
Product -  SAP Permit to Work, Versions - UIS4HOP1 800, 900

Medium

4.3

3549494

[CVE-2025-23185] Information Disclosure in SAP Business Objects Business Intelligence Platform
Product - SAP Business Objects Business Intelligence Platform, Version - ENTERPRISE 430, 2025, 2027

Medium

4.1

3562415

[CVE-2024-38819] Multiple vulnerabilities in Spring Framework within SAP Commerce Cloud and SAP Datahub

Related CVE - CVE-2024-38820
Product -SAP Commerce Cloud and SAP Datahub, , Version -HY_COM 2205, HY_DHUB 2205, COM_CLOUD 2211, DHUB_CLOUD 2211

Low

3.7

3561861

[CVE-2025-27430] Server Side Request Forgery (SSRF) in SAP CRM and SAP S/4 HANA (Interaction Center)
Product - SAP CRM and SAP S/4HANA (Interaction Center), Versions - S4CRM 100, 200, 204, 205, 206, S4FND 102, 103, 104, 105, 106, 107, 108, S4CEXT 107, 108, BBPCRM 701, 702, 712, 713, 714, WEBCUIF 701, 731, 746, 747, 748, 800, 801

Low

3.5

3347991

[CVE-2025-26655] Missing Authorization check in SAP JIT(Outbound)
Product - SAP Just In Time, Version - S4CORE 102, 103, 104, 105, 106, 107, ECC-DIMP 618

Low

3.1

3568865

[CVE-2025-27432] Missing Authorization check in SAP Electronic Invoicing for Brazil (eDocument Cockpit)
Product - SAP Electronic Invoicing for Brazil (eDocument Cockpit), Version - SAP_APPL 617, 618, S4CORE 102, 103, 104, 105, 106, 107, 108

Low

2.4

3576540

Open Source Security Advisory: Best Practices for Securing Spring Boot Actuator Endpoints for applications running on BTP

Low

0.0

SAP Security Patch Day - April 2025

This post shares the information on Security Notes that remediate vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on priority to protect their SAP landscape.

On 8th of April 2025, SAP Security Patch Day saw the release of 18 new Security Notes. Further, there were 2 updates to previously released Security Notes.

 

Note#

Title

Priority

CVSS

3581961

[CVE-2025-27429] Code Injection Vulnerability in SAP S/4HANA (Private Cloud)

Product - SAP S/4HANA (Private Cloud), Versions - S4CORE 102, 103, 104, 105, 106, 107, 108

Critical

9.9

3587115

[CVE-2025-31330] Code Injection Vulnerability in SAP Landscape Transformation (Analysis Platform)

Product - SAP Landscape Transformation (Analysis Platform), Versions - DMIS 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731

Critical

9.9

3572688

[CVE-2025-30016] Authentication Bypass Vulnerability in SAP Financial Consolidation
Product - SAP Financial Consolidation, Version - FINANCE 1010

Critical

9.8

3525794

Update to Security Note released on February 2025 Patch Day:

[CVE-2025-0064] Improper Authorization in SAP BusinessObjects Business Intelligence platform
Product -  SAP BusinessObjects Business Intelligence platform (Central Management Console), Versions - ENTERPRISE 430, 2025

High

8.8

3554667

[CVE-2025-23186] Mixed Dynamic RFC Destination vulnerability through Remote Function Call (RFC) in SAP NetWeaver Application Server ABAP
Product - SAP NetWeaver Application Server ABAP, Versions - KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93

High

8.5

3590984

[CVE-2024-56337] Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat within SAP Commerce Cloud
Product - SAP Commerce Cloud, Versions - HY_COM 2205, COM_CLOUD 2211

High

8.1

2927164

[CVE-2025-30014] Directory Traversal vulnerability in SAP Capital Yield Tax Management
Product - SAP Capital Yield Tax Management, Versions - CYTERP 420_700, CYT 800, IBS 7.0, CYT4HANA 100

High

7.7

3581811

[CVE-2025-27428] Directory Traversal vulnerability in SAP NetWeaver and ABAP Platform (Service Data Collection)
Product - SAP NetWeaver and ABAP Platform (Service Data Collection), Versions - ST-PI 2008_1_700, 2008_1_710, 740

High

7.7

3543274

[CVE-2025-26654] Potential information disclosure vulnerability in SAP Commerce Cloud (Public Cloud)

Product - SAP Commerce Cloud (Public Cloud), Version - COM_CLOUD 2211

Medium

6.8

3571093

[CVE-2025-30013] Code Injection vulnerability in SAP ERP BW Business Content

Product - SAP ERP BW Business Content, Versions - BI_CONT 707, 737, 747, 757

Medium

6.7

3565751

[CVE-2025-31332] Insecure File permissions vulnerability in SAP BusinessObjects Business Intelligence Platform

Product - SAP BusinessObjects Business Intelligence Platform, Version - ENTERPRISE 430

Medium

6.6

3568307

[CVE-2025-26657] Information Disclosure vulnerability in SAP KMC WPC

Product - SAP KMC WPC, Version - KMC-WPC 7.50

Medium

5.3

3559307

[CVE-2025-26653] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)

Product - SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML), Versions - KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 9.14

Medium

4.7

3558864

[CVE-2025-30017] Missing Authorization check in SAP Solution Manager

Product - SAP Solution Manager, Versions - ST 720, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 914

Medium

4.4

3525971

[CVE-2025-31333] Odata meta-data tampering in SAP S4CORE entity

Product - SAP S4CORE entity, Versions - S4CORE 107, 108

Medium

4.3

3568778

[CVE-2025-27437] Missing Authorization check in SAP NetWeaver Application Server ABAP (Virus Scan Interface)

Product - SAP NetWeaver Application Server ABAP (Virus Scan Interface), Versions - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758

Medium

4.3

3577131

[CVE-2025-31331] Authorization Bypass vulnerability in SAP NetWeaver

Product - SAP NetWeaver, Versions - SAP_ABA 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75D, 75E, 75F, 75G, 75H, 75I

Medium

4.3

3539465

[CVE-2025-27435] Information Disclosure Vulnerability in SAP Commerce Cloud

Product - SAP Commerce Cloud, Versions - HY_COM 2205, COM_CLOUD 2211

Medium

4.2

3565944

[CVE-2025-30015] Memory Corruption vulnerability in SAP NetWeaver and ABAP Platform (Application Server ABAP)

Product - SAP NetWeaver and ABAP Platform (Application Server ABAP), Versions - KRNL64UC 7.53, KERNEL 7.53, 7.54

Medium

4.1

3561861

Update to Security Note released on March 2025 Patch Day:

[CVE-2025-27430] Server Side Request Forgery (SSRF) in SAP CRM and SAP S/4 HANA (Interaction Center)
Product -  SAP CRM and SAP S/4HANA (Interaction Center), Versions - S4CRM 100, 200, 204, 205, 206, S4FND 102, 103, 104, 105, 106, 107, 108, S4CEXT 107, 108, BBPCRM 701, 702, 712, 713, 714, WEBCUIF 701, 731, 746, 747, 748, 800, 801

Low

3.5

3 new Security Notes were released after the scheduled Monthly Patch Day. Additionally, 2 previously released Security Notes were updated.

3594142

[CVE-2025-31324] Missing Authorization check in SAP NetWeaver (Visual Composer development server)

Product - SAP NetWeaver (Visual Composer development server), Versions - VCFRAMEWORK 7.50

Critical

10.0

3581961

Update to Security Note released on April 2025 Patch Day:

[CVE-2025-27429] Code Injection Vulnerability in SAP S/4HANA (Private Cloud or On-Premise)

Product - SAP S/4HANA (Private Cloud), Versions - S4CORE 102, 103, 104, 105, 106, 107, 108

Critical

9.9

3587115

Update to Security Note released on April 2025 Patch Day:

[CVE-2025-31330] Code Injection Vulnerability in SAP Landscape Transformation (Analysis Platform)

Product - SAP Landscape Transformation (Analysis Platform), Versions - DMIS 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731

Critical

9.9

3446649

[CVE-2025-31328] Cross-Site Request Forgery (CSRF) vulnerability in SAP S/4 HANA (Learning Solution)

Product- SAP S/4 HANA (Learning Solution), Versions – S4HCMGXX 100, 101

Medium

4.6

3359825

[CVE-2025-31327] OData meta-data property entity tampering in SAP Field Logistics
Product -  SAP Field Logistics, Versions - S4CORE 107, 108

Medium

4.3

SAP Security Patch Day - May 2025

This post shares the information on Security Notes that remediate vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on priority to protect their SAP landscape.

On 13th of May 2025, SAP Security Patch Day saw the release of 16 new Security Notes. Further, there were 2 updates to previously released Security Notes.

Note#

Title

Priority

CVSS

3594142

Update to Security Note released on April 2025 Patch Day:

[CVE-2025-31324Missing Authorization check in SAP NetWeaver (Visual Composer development server)
Product – SAP NetWeaver (Visual Composer development server)
Version – VCFRAMEWORK 7.50

Critical

10.0

3604119

[CVE-2025-42999Insecure Deserialization in SAP NetWeaver (Visual Composer development server)

Product – SAP NetWeaver (Visual Composer development server)

Version – VCFRAMEWORK 7.50

Critical 

9.1

3578900

[CVE-2025-30018Multiple vulnerabilities in SAP Supplier Relationship Management (Live Auction Cockpit)

Related CVE - CVE-2025-30009CVE-2025-30010CVE-2025-30011CVE-2025-30012

Product – SAP Supplier Relationship Management (Live Auction Cockpit)
Version – SRM_SERVER 7.14

High

8.6

3600859

[CVE-2025-43010Code injection vulnerability in SAP S/4HANA Cloud Private Edition or On Premise(SCM Master Data Layer (MDL))

Product- SAP S/4HANA Cloud Private Edition or on Premise (SCM Master Data Layer (MDL))

Versions – S4CORE 102, 103, 104, 105, 106, 107, 108, SCM_BASIS 700, 701, 702, 712, 713, 714

High

8.3

3586013

[CVE-2025-43000Information Disclosure Vulnerability in SAP Business Objects Business Intelligence Platform (PMW)

Product – SAP Business Objects Business Intelligence Platform (PMW)
Versions – ENTERPRISE 430, 2025, 2027

High

7.9

3591978

[CVE-2025-43011Missing Authorization Check in SAP Landscape Transformation (PCL Basis)

Product – SAP Landscape Transformation (PCL Basis)
Versions – DMIS 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2018_1_752, 2020, S4CORE 102, 103, 104, 105, 106, 107, 108

High

7.7

3483344

Update to Security Note released on July 2024 Patch Day:

[CVE-2024-39592Missing Authorization check in SAP PDCE
Product – SAP PDCE
Versions – S4CORE 102, 103, S4COREOP 104, 105, 106, 107, 108

High

7.7

3577300

[CVE-2025-42997Information Disclosure vulnerability in SAP Gateway Client

Product- SAP Gateway Client
Versions – SAP_GWFND 752, 753, 754, 755, 756, 757, 758

Medium

6.6

3596033

[CVE-2025-43003Information Disclosure vulnerability in SAP S/4HANA (Private Cloud & On-Premise)
Product - SAP S/4HANA (Private Cloud & On-Premise)
Versions - S4CRM 204, 205, 206, S4CEXT 107, 108, BBPCRM 702, 712, 713, 714

Medium

6.4

2491817

[CVE-2025-43009Missing Authorization check in SAP Service Parts Management (SPM)
Product -  SAP Service Parts Management (SPM)
Versions - SAP_APPL 600, 602, 603, 604, 605, 606, 616, 617, 618, SAPSCORE 111, S4CORE 100, 101, 102

Medium

6.3

2719724

[CVE-2025-43007Missing Authorization check in SAP Service Parts Management (SPM)
Product - SAP Service Parts Management (SPM)
Versions - SAP_APPL 617, 618, SAPSCORE 116, S4CORE 100, 101, 102, 103

Medium

6.3

3577287

[CVE-2025-31329Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform
Product - SAP NetWeaver Application Server ABAP and ABAP Platform

Versions - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758

Medium

6.2

3588455

[CVE-2025-43006Cross-Site Scripting (XSS) vulnerability in SAP Supplier Relationship Management (Master Data Management Catalog)
Product – SAP Supplier Relationship Management (Master Data Management Catalog)
Version – SRM_MDM_CAT 7.52

Medium

6.1

3585992

[CVE-2025-43008Missing Authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal
Product – SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal
Versions – S4HCMCPT 100, 101, SAP_HRCPT 600, 604, 608

Medium

5.8

3571096

[CVE-2025-43004Security Misconfiguration Vulnerability in SAP Digital Manufacturing (Production Operator Dashboard)
Product - SAP Digital Manufacturing (Production Operator Dashboard)

Version – CTNR-DME-PODFOUNDATION-MS 1.0

Medium

5.3

3558755

[CVE-2025-26662Cross-Site Scripting (XSS) vulnerability in the SAP Data Services Management Console
Product – SAP Data Services Management Console
Version – SBOP DS JOB SERVER 4.3

Medium

4.4

3227940

[CVE-2025-43002Missing Authorization check in SAP S4/HANA (OData meta-data property)
Product - SAP S4/HANA (OData meta-data property)
Versions - S4CORE 102, 103, 104, 105, 106

Medium

4.3

3574520

[CVE-2025-43005Information Disclosure vulnerability in SAP GUI for Windows

Product- SAP GUI for Windows
Version – BC-FES-GUI 8.00

Medium

4.3



4 previously released Security Notes were updated after the scheduled Monthly Patch Day.

3474398

Update to Security Note released on January 2025 Patch Day:
[CVE-2025-0061] Multiple vulnerabilities in SAP BusinessObjects Business Intelligence Platform
Additional CVE - CVE-2025-0060

Product – SAP BusinessObjects Business Intelligence Platform
Versions – ENTERPRISE 420, 430, 2025

High

8.7

3591978

Update to Security Note released on May 2025 Patch Day:
[CVE-2025-43011] Missing Authorization Check in SAP Landscape Transformation (PCL Basis)

Product – SAP Landscape Transformation (PCL Basis)
Versions – DMIS 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2018_1_752, 2020, S4CORE 102, 103, 104, 105, 106, 107, 108

High

7.7

3585992

Update to Security Note released on May 2025 Patch Day:

[CVE-2025-43008] Missing Authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal
Product – SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal
Versions – S4HCMCPT 100, 101, SAP_HRCPT 600, 604, 608

Medium

5.8

3426825

Update to Security Note released on February 2025 Patch Day:
[CVE-2025-23191] Cache Poisoning through header manipulation vulnerability in SAP Fiori for SAP ERP
Product – SAP Fiori for SAP ERP
Versions – SAP_GWFND 740, 750, 751, 752, 753, 754, 755, 756, 757, 758

Low

3.1

SAP Security Patch Day - June 2025

This post shares the information on Security Notes that remediate vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on priority to protect their SAP landscape.

On 10th of June 2025, SAP Security Patch Day saw the release of 14 new Security Notes.

Note#

Title

Priority

CVSS

3600840

[CVE-2025-42989] Missing Authorization check in SAP NetWeaver Application Server for ABAP
Product – SAP NetWeaver Application Server for ABAP
Versions – KERNEL 7.89, 7.93, 9.14, 9.15

Critical

9.6

3609271

[CVE-2025-42982] Information Disclosure in SAP GRC (AC Plugin)
Product – SAP GRC (AC Plugin)
Versions – GRCPINW V1100_700, V1100_731

High

8.8

3606484

[CVE-2025-42983] Missing Authorization check in SAP Business Warehouse and SAP Plug-In Basis

Product – SAP Business Warehouse and SAP Plug-In Basis

Versions – PI_BASIS 2006_1_700, 701, 702, 731, 740, SAP_BW 750, 751, 752, 753, 754, 755, 756, 757, 758, 914, 915

High 

8.5

3560693

[CVE-2025-23192] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence (BI Workspace)
Product – SAP BusinessObjects Business Intelligence (BI Workspace)
Versions – ENTERPRISE 430, 2025, 2027

High

8.2

3610591

[CVE-2025-42977] Directory Traversal vulnerability in SAP NetWeaver Visual Composer
Product – SAP NetWeaver Visual Composer
Version – VCBASE 7.50

High

7.6

3610006

[CVE-2025-42994] Multiple vulnerabilities in SAP MDM Server

Related CVE - CVE-2025-42995, CVE-2025-42996
Product – SAP MDM Server
Versions – MDM_SERVER 710.750

High

7.5

3580384

[CVE-2025-42993] Missing Authorization Check in SAP S/4HANA (Enterprise Event Enablement)

Product – SAP S/4HANA (Enterprise Event Enablement)
Versions – SAP_GWFND 757, 758

Medium

6.7

3590887

[CVE-2025-31325] Cross-Site Scripting (XSS) Vulnerability in SAP NetWeaver (ABAP Keyword Documentation)

Product- SAP NetWeaver (ABAP Keyword Documentation)

Version – SAP_BASIS 758

Medium

5.8

3441087

[CVE-2025-42984] Missing Authorization check in SAP S/4HANA (Manage Central Purchase Contract application)

Product – SAP S/4HANA (Manage Central Purchase Contract application)
Versions – S4CORE 106, 107, 108

Medium

5.4

3594258

[CVE-2025-42998] Security misconfiguration vulnerability in SAP Business One Integration Framework

Product – SAP Business One Integration Framework
Versions – B1_ON_HANA 10.0, SAP-M-BO 10.0

Medium

5.3

3596850

[CVE-2025-42987] Missing Authorization Check in SAP S/4HANA (Manage Processing Rules - For Bank Statement)
Product – SAP S/4HANA (Manage Processing Rules - For Bank Statement)
Versions – S4CORE 104, 105, 106, 107, 108

Medium

4.3

3608058

[CVE-2025-42991] Missing Authorization check in SAP S/4HANA (Bank Account Application)

Product- SAP S/4HANA (Bank Account Application)
Version – S4CORE 108

Medium

4.3

3585545

[CVE-2025-42988] Server-Side Request Forgery in SAP Business Objects Business Intelligence Platform
Product - SAP Business Objects Business Intelligence Platform
Versions - ENTERPRISE 430, 2025, 2027

Low

3.7

3601169

[CVE-2025-42990] HTML Injection in Unprotected SAPUI5 applications
Product – SAPUI5 applications
Versions – SAP_UI 750, 754, 755, 756, 757, 758, UI_700 200

Low

3.0

SAP Security Patch Day - July 2025

This post shares information on Security Notes that remediate vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on priority to protect their SAP landscape.

On 8th of July 2025, SAP Security Patch Day saw the release of 27 new Security Notes. Further, there were 4 updates to previously released Security Notes.

Note#

Title

Priority

CVSS

3578900

Update to Security Note released on May 2025 Patch Day:

[CVE-2025-30012] Multiple vulnerabilities in SAP Supplier Relationship Management (Live Auction Cockpit)
Related CVE - CVE-2025-30009, CVE-2025-30010, CVE-2025-30011, CVE-2025-30018(opens in new tab)

Product – SAP Supplier Relationship Management (Live Auction Cockpit) 
Version – SRM_SERVER 7.14

Critical

10.0

3618955

[CVE-2025-42967] Code Injection vulnerability in SAP S/4HANA and SAP SCM (Characteristic Propagation)
Product – SAP S/4HANA and SAP SCM (Characteristic Propagation)
Versions – SCMAPO 713, 714, S4CORE 102, 103, 104, S4COREOP 105, 106, 107, 108, SCM 700, 701, 702, 712

Critical

9.9

3620498

[CVE-2025-42980] Insecure Deserialization in SAP NetWeaver Enterprise Portal Federated Portal Network
Product – SAP NetWeaver Enterprise Portal Federated Portal Network
Version – EP-RUNTIME 7.50

Critical

9.1

3621236

[CVE-2025-42964] Insecure Deserialization in SAP NetWeaver Enterprise Portal Administration

Product – SAP NetWeaver Enterprise Portal Administration

Version – EP-RUNTIME 7.50

Critical

9.1

3610892

[CVE-2025-42966Insecure Deserialization vulnerability in SAP NetWeaver (XML Data Archiving Service)
Product – SAP NetWeaver (XML Data Archiving Service)
Versions – J2EE-APPS 7.50

Critical

9.1

3621771

[CVE-2025-42963Insecure Deserialization in SAP NetWeaver Application Server for Java (Log Viewer )
Product – SAP NetWeaver Application Server for Java (Log Viewer )
Version – LMNWABASICAPPS 7.50

Critical

9.1

3600846

[CVE-2025-42959] Missing Authentication check after implementation of SAP Security Note 3007182 and 3537476
Product – SAP NetWeaver ABAP Server and ABAP Platform
Versions – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 914, SAP_BASIS 915

High

8.1

3623440

[CVE-2025-42953] Missing Authorization check in SAP NetWeaver Application Server for ABAP

Product – SAP NetWeaver Application Server for ABAP
Versions – SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816

High

8.1

3565279

[CVE-2024-53677] Insecure File Operations vulnerability in SAP Business Objects Business Intelligence Platform (CMC)

Product- SAP Business Objects Business Intelligence Platform (CMC)

Version – ENTERPRISE 430, 2025

High

8.0

3623255

[CVE-2025-42952] Missing Authorization check in SAP Business Warehouse and SAP Plug-In Basis

Product – SAP Business Warehouse and SAP Plug-In Basis
Versions – PI_BASIS 2006_1_700, 701, 702, 731, 740, SAP_BW 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 816

High

7.7

3610591

Update to Security Note released on June 2025 Patch Day: 
[CVE-2025-42977] Directory Traversal vulnerability in SAP NetWeaver Visual Composer

Product – SAP NetWeaver Visual Composer 
Version – VCBASE 7.50

High

7.6

3595143

[CVE-2025-43001] Multiple Privilege Escalation Vulnerabilities in SAPCAR

CVEs - CVE-2025-42992

Product – SAPCAR
Versions – SAP_CAR 7.53, 7.22EXT

Medium

6.9

3580384

Update to Security Note released on June 2025 Patch Day: 
[CVE-2025-42993] Missing Authorization Check in SAP S/4HANA (Enterprise Event Enablement)
Product – SAP S/4HANA (Enterprise Event Enablement)
Versions – SAP_GWFND 757, 758

Medium

6.7

3577300

Update to Security Note released on May 2025 Patch Day: 
[CVE-2025-42997] Information Disclosure vulnerability in SAP Gateway Client
Product – SAP Gateway Client
Versions – SAP_GWFND 752, 753, 754, 755, 756, 757, 758

Medium

6.6

3617131

[CVE-2025-42981] Multiple vulnerabilities in SAP NetWeaver Application Server ABAP

CVE - CVE-2025-42956
Product – SAP NetWeaver Application Server ABAP
Versions – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816

Medium

6.1

3596987

[CVE-2025-42969] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform

Product- SAP NetWeaver Application Server ABAP and ABAP Platform
Version – SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758

Medium

6.1

3604212

[CVE-2025-42962] Cross-Site Scripting (XSS) vulnerability in SAP Business Warehouse (Business Explorer Web 3.5 loading animation)
Product - SAP Business Warehouse (Business Explorer Web 3.5 loading animation)
Versions - DW4CORE 100, 200, 300, 400, 916, SAP_BW 730, 731, 740, 750, 751, 752, 753, 754, 756, 757, 758

Medium

6.1

3617380

[CVE-2025-42985] Open Redirect vulnerability in SAP BusinessObjects Content Administrator workbench
Product -  SAP BusinessObjects Content Administrator workbench
Versions - DW4CORE 100, 200, 300, 400, SAP_BW 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 816, SAP_BW_VIRTUAL_COMP 701

Medium

6.1

3595156

[CVE-2025-42970] Directory Traversal vulnerability in SAPCAR
Product - SAPCAR
Versions - SAP_CAR 7.53, 7.22EXT

Medium

5.8

3607513

[CVE-2025-42979] Insecure Key & Secret Management vulnerability in SAP GUI for Windows
Product - SAP GUI for Windows

Versions - BC-FES-GUI 8.00

Medium

5.6

3606103

[CVE-2025-42973] Cross-Site Scripting (XSS) vulnerability in SAP Data Services (DQ Report)
Product – SAP Data Services (DQ Report)
Version – SBOP_DS_MANAGEMENT_CONSOLE 4.3, 2025

Medium

5.4

3621037

[CVE-2025-42968] Missing Authorization check in SAP NetWeaver (RFC enabled function module)
Product – SAP NetWeaver (RFC enabled function module)
Versions – SAP_BW 700, 701, 702, 710, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 816, 914, 916

Medium

5.0

3610322

[CVE-2025-42961] Missing Authorization check in SAP NetWeaver Application Server for ABAP
Product - SAP NetWeaver Application Server for ABAP
Version – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816

Medium

4.9

3608991

[CVE-2025-42960] Missing Authorization Check in SAP Business Warehouse and SAP BW/4HANA BEx Tools
Product – SAP Business Warehouse and SAP BW/4HANA BEx Tools
Version – DW4CORE 100, 200, 300, 400, SAP_BW 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 816, SAP_BW_VIRTUAL_COMP 701

Medium

4.3

3626440

[CVE-2025-42986] Missing Authorization check in SAP NetWeaver and ABAP Platform
Product - SAP NetWeaver and ABAP Platform
Versions - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754

Medium

4.3

3610056

[CVE-2025-42974] Missing Authorization Check in SAP NetWeaver and ABAP Platform (SDCCN)
Product- SAP NetWeaver and ABAP Platform (SDCCN)
Version – ST-PI 2008_1_700, 2008_1_710, 740

Medium

4.3

3573199

[CVE-2025-31326] HTML Injection vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence)
Product- SAP BusinessObjects Business Intelligence Platform (Web Intelligence)
Version – ENTERPRISE 430, 2025, 2027, ENTERPRISECLIENTTOOLS 430, 2025, 2027

Medium

4.1

3598118

[CVE-2025-42965] Server Side Request Forgery(SSRF) vulnerability in SAP BusinessObjects BI Platform Central Management Console Promotion Management Application
Product- SAP BusinessObjects BI Platform Central Management Console Promotion Management Application
Version – ENTERPRISE 430, 2025, 2027

Medium

4.1

3595141

[CVE-2025-42971] Memory Corruption vulnerability in SAPCAR
Product- SAPCAR
Version – SAP_CAR 7.53, 7.22EXT

Medium

4.0

3557179

[CVE-2025-42978] Insufficiently Secure Hostname Verification for Outbound TLS Connections in SAP NetWeaver Application Server Java
Product- SAP NetWeaver Application Server Java
Version – ENGINEAPI 7.50

Low

3.5

3608156

[CVE-2025-42954] Denial of service (DOS) in SAP NetWeaver Business Warehouse (CCAW application)
Product- SAP NetWeaver Business Warehouse (CCAW application)
Version – DW4CORE 100, 200, 300, 400, SAP_BW 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 816, SAP_BW_VIRTUAL_COMP 701

Low

2.7

1 new Security Note was released after the scheduled Monthly Patch Day. Additionally, 6 previously released Security Notes were updated.

3610892

Update to Security Note released on July 2025 Patch Day:

[CVE-2025-42966Insecure Deserialization vulnerability in SAP NetWeaver (XML Data Archiving Service)
Product – SAP NetWeaver (XML Data Archiving Service)
Versions – J2EE-APPS 7.50

Critical

9.1

3600846

Update to Security Note released on July 2025 Patch Day:

[CVE-2025-42959Missing Authentication check after implementation of SAP Security Note 3007182 and 3537476
Product – SAP NetWeaver ABAP Server and ABAP Platform
Versions – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 914, SAP_BASIS 915

High

8.1

3617131

Update to Security Note released on July 2025 Patch Day:

[CVE-2025-42981Multiple vulnerabilities in SAP NetWeaver Application Server ABAP

CVE - CVE-2025-42956
Product – SAP NetWeaver Application Server ABAP
Versions – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816

Medium

6.1

3596987

Update to Security Note released on July 2025 Patch Day:

[CVE-2025-42969Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform

Product- SAP NetWeaver Application Server ABAP and ABAP Platform
Version – SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758

Medium

6.1

3585992

Update to Security Note released on May 2025 Patch Day:

[CVE-2025-43008Missing Authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal
Product – SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal
Versions – S4HCMCPT 100, 101, SAP_HRCPT 600, 604, 608

Medium

5.8

3540688

[CVE-2025-42947Code Injection vulnerability in SAP FICA ODN framework
Product – SAP FICA ODN framework
Versions – SAPSCORE 132, S4CORE 102, 103, 104, 105, 106, 107, 108, FI-CA 606, 616, 617, 618

Medium

5.5

 

3557179

Update to Security Note released on July 2025 Patch Day:

[CVE-2025-42978Insufficiently Secure Hostname Verification for Outbound TLS Connections in SAP NetWeaver Application Server Java
Product- SAP NetWeaver Application Server Java
Version – ENGINEAPI 7.50

Low

3.5

SAP Security Patch Day - August 2025

This post shares the information on Security Notes that remediate vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on priority to protect their SAP landscape.

On 12th of August 2025, SAP Security Patch Day saw the release of 15 new Security Notes. Further, there were 4 updates to previously released Security Notes.

Note#

Title

Priority

CVSS

3627998

[CVE-2025-42957Code Injection vulnerability in SAP S/4HANA (Private Cloud or On-Premise)

Product - SAP S/4HANA (Private Cloud or On-Premise)
Version - S4CORE 102, 103, 104, 105, 106, 107, 108

Critical

9.9

3633838

[CVE-2025-42950] Code Injection Vulnerability in SAP Landscape Transformation (Analysis Platform)

Product - SAP Landscape Transformation (Analysis Platform)
Version - DMIS 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020

Critical

9.9

3581961

Update to Security Note released on April 2025 Patch Day:

[CVE-2025-27429] Code Injection Vulnerability in SAP S/4HANA (Private Cloud or On-Premise)

Product – SAP S/4HANA (Private Cloud or On-Premise)
Version – S4CORE 102, 103, 104, 105, 106, 107, 108

Critical

9.9

3625403

[CVE-2025-42951] Broken Authorization in SAP Business One (SLD)

Product - SAP Business One (SLD)
Version - B1_ON_HANA 10.0, SAP-M-BO 10.0

High

8.8

3611184

[CVE-2025-42976Multiple vulnerabilities in SAP NetWeaver Application Server ABAP (BIC Document)

Additional CVE - CVE-2025-42975

Product - SAP NetWeaver Application Server ABAP (BIC Document)
Version - S4COREOP 104, 105, 106, 107, 108, SEM-BW 600, 602, 603, 604, 605, 634, 736, 746, 747, 748

High

8.1

3614804

[CVE-2025-42946Directory Traversal vulnerability in SAP S/4HANA (Bank Communication Management)

Product - SAP S/4HANA (Bank Communication Management)
Version - SAP_APPL 606, SAP_FIN 617, 618, 720, 730, S4CORE 102, 103, 104, 105, 106, 107, 108

Medium

6.9

3585491

[CVE-2025-42945] HTML Injection vulnerability in SAP NetWeaver Application Server ABAP

Product - SAP NetWeaver Application Server ABAP
Version - KRNL64UC 7.53, KERNEL 7.53, 7.54, 7.77, 7.89, 7.93

Medium

6.1

3597355

[CVE-2025-42942Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server for ABAP

Product - SAP NetWeaver Application Server for ABAP
Version - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816, SAP_BASIS 914, SAP_BASIS 916

Medium

6.1

3629871

[CVE-2025-42948Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver ABAP Platform

Product - SAP NetWeaver ABAP Platform
Version - S4CRM 100, 200, 204, 205, 206, S4CEXT 107, 108, 109, BBPCRM 713, 714

Medium

6.1

3503138

Update to Security Note released on January 2025 Patch Day:

[CVE-2025-0059] Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)

Product – SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)
Version – KRNL64UC 7.53, KERNEL 7.53, 7.54, 7.77, 7.89, 7.93, 9.12, 9.14

Medium

6.0

3602656

[CVE-2025-42936Missing Authorization check in SAP NetWeaver Application Server for ABAP

Product - SAP NetWeaver Application Server for ABAP
Version - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816

Medium

5.4

3561792

Update to Security Note released on March 2025 Patch Day:

[CVE-2025-23194] Missing Authentication check in SAP NetWeaver Enterprise Portal (OBN component)
Product – SAP NetWeaver Enterprise Portal (OBN component)
Version – EP-RUNTIME 7.50

Medium

5.3

3626722

[CVE-2025-42949Missing Authorization check in ABAP Platform

Product - ABAP Platform
Version - SAP_BASIS 758, SAP_BASIS 816, SAP_BASIS 916

Medium

4.9

3627845

[CVE-2025-42943Information Disclosure in SAP GUI for Windows

Product - SAP GUI for Windows
Version - BC-FES-GUI 8.00

Medium

4.5

3616863

[CVE-2025-42934CRLF Injection vulnerability in SAP S/4HANA (Supplier invoice)

Product - SAP S/4HANA (Supplier invoice)
Version - S4CORE 102, 103, 104, 105, 106, 107, 108, 109

Medium

4.3

3577131

Update to Security Note released on April 2025 Patch Day:

[CVE-2025-31331] Authorization Bypass vulnerability in SAP NetWeaver

Product – SAP NetWeaver
Version – SAP_ABA 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75D, 75E, 75F, 75G, 75H, 75I

Medium

4.3

3601480

[CVE-2025-42935Information Disclosure vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform(Internet Communication Manager)

Product - SAP NetWeaver AS for ABAP and ABAP Platform(Internet Communication Manager)
Version - KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 9.14, 9.15, 9.16

Medium

4.1

3611345

[CVE-2025-42955Missing authorization check in SAP Cloud Connector

Product - SAP Cloud Connector
Version - SAP_CLOUD_CONNECTOR 2.0

Low

3.5

3624943

[CVE-2025-42941Reverse Tabnabbing vulnerability in SAP Fiori (Launchpad)

Product - SAP Fiori (Launchpad)
Version - SAP_UI 754

Low

3.5

SAP Security Patch Day - September 2025

This post shares the information on security notes that remediate vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on priority to protect their SAP landscape.

On 9th of September 2025, SAP Security Patch Day saw the release of 21 new security notes. Further, there were 5 updates to previously released security notes.

Note#

Title

Priority

CVSS

3634501

[CVE-2025-42944Insecure Deserialization vulnerability in SAP Netweaver (RMI-P4)

Product - SAP Netweaver AS Java
Version - SERVERCORE 7.50

Critical

10.0

3643865

[CVE-2025-42922Insecure File Operations vulnerability in SAP NetWeaver AS Java (Deploy Web Service)

Product - SAP NetWeaver AS Java (Deploy Web Service)
Version - J2EE-APPS 7.50

Critical

9.9

3302162

Update to Security Note released on March 2023 Patch Day:

[CVE-2023-27500Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform

Product – SAP NetWeaver AS for ABAP and ABAP Platform
Version – 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757

Critical

9.6

3627373

[CVE-2025-42958Missing Authentication check in SAP NetWeaver

Product - SAP NetWeaver
Version - KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, KERNEL 7.22, 7.53, 7.54

Critical

9.1

3642961

[CVE-2025-42933Insecure Storage of Sensitive Information in SAP Business One (SLD)

Product - SAP Business One (SLD)
Version - B1_ON_HANA 10.0, SAP-M-BO 10.0

High

8.8

3633002

[CVE-2025-42929Missing input validation vulnerability in SAP Landscape Transformation Replication Server

Product - SAP Landscape Transformation Replication Server
Version - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020

High

8.1

3635475

[CVE-2025-42916Missing input validation vulnerability in SAP S/4HANA (Private Cloud or On-Premise)

Product - SAP S/4HANA (Private Cloud or On-Premise)
Version - S4CORE 102, 103, 104, 105, 106, 107, 108

High

8.1

3581811

Update to Security Note released on April 2025 Patch Day:

[CVE-2025-27428Directory Traversal vulnerability in SAP NetWeaver and ABAP Platform (Service Data Collection)

Product - SAP NetWeaver and ABAP Platform (Service Data Collection)
Version - ST-PI 2008_1_700, 2008_1_710, 740

High

7.7

3620264

[CVE-2025-22228Security Misconfiguration vulnerability in Spring security within SAP Commerce Cloud and SAP Datahub

Product - SAP Commerce Cloud and SAP Datahub
Version - HY_COM 2205, HY_DHUB 2205, COM_CLOUD 2211, DHUB_CLOUD 2211

Medium

6.6

3614067

[CVE-2025-42930Denial of Service (DoS) vulnerability in SAP Business Planning and Consolidation

Product - SAP Business Planning and Consolidation
Version - BPC4HANA 200, 300, SAP_BW 750, 751, 752, 753, 754, 755, 756, 757, 758, 816, 914, CPMBPC 810

Medium

6.5

3635587

[CVE-2025-42912Missing Authorization check in SAP HCM (My Timesheet Fiori 2.0 application)

Additional CVEs - CVE-2025-42913, CVE-2025-42914

Product - SAP HCM (My Timesheet Fiori 2.0 application)
Version - GBX01HR5 605

Medium

6.5

3643832

[CVE-2025-42917Missing Authorization check in SAP HCM (Approve Timesheets Fiori 2.0 application)

Product - SAP HCM (Approve Timesheets Fiori 2.0 application)
Version - GBX01HR5 605

Medium

6.5

3611420

[CVE-2023-5072Denial of Service (DoS) vulnerability due to outdated JSON library used in SAP BusinessObjects Business Intelligence Platform

Product - SAP BusinessObjects Business Intelligence Platform
Version - ENTERPRISE 430, 2025, 2027

Medium

6.5

3647098

[CVE-2025-42920Cross-Site Scripting (XSS) vulnerability in SAP Supplier Relationship Management

Product - SAP Supplier Relationship Management
Version – SRM_SERVER 700, 701, 702, 713, 714

Medium

6.1

3629325

[CVE-2025-42938Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver ABAP Platform

Product - SAP NetWeaver ABAP Platform
Version - S4CRM 100, 200, 204, 205, 206, S4CEXT 109, BBPCRM 713, 714

Medium

6.1

3409013

[CVE-2025-42915Missing Authorization Check in Fiori app (Manage Payment Blocks)

Product - Fiori app (Manage Payment Blocks)
Version - S4CORE 107, 108

Medium

5.4

3619465

[CVE-2025-42926Missing Authentication check in SAP NetWeaver Application Server Java

Product - SAP NetWeaver Application Server Java
Version - WD-RUNTIME 7.50

Medium

5.3

3627644

[CVE-2025-42911Missing Authorization check in SAP NetWeaver (Service Data Download)

Product - SAP NetWeaver (Service Data Download)
Version - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816

Medium

5.0

3610322

Update to Security Note released on July 2025 Patch Day:

[CVE-2025-42961Missing Authorization check in SAP NetWeaver Application Server for ABAP

Product - SAP NetWeaver Application Server for ABAP
Version – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816

Medium

4.9

3640477

[CVE-2025-42925Predictable Object Identifier vulnerability in SAP NetWeaver AS Java (IIOP Service)

Product - SAP NetWeaver AS Java (IIOP Service)
Version – SERVERCORE 7.50

Medium

4.3

3450692

[CVE-2025-42923Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App (F4044 Manage Work Center Groups)

Product - SAP Fiori App (F4044 Manage Work Center Groups)
Version - UIS4HOP1 600, 700, 800, 900

Medium

4.3

3623504

[CVE-2025-42918Missing Authorization check in SAP NetWeaver Application Server for ABAP (Background Processing)

Product - SAP NetWeaver Application Server for ABAP (Background Processing)
Version - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816

Medium

4.3

3577131

Update to Security Note released on April 2025 Patch Day:

[CVE-2025-31331Authorization Bypass vulnerability in SAP NetWeaver

Product - SAP NetWeaver
Version - SAP_ABA 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75D, 75E, 75F, 75G, 75H, 75I

Medium

4.3

 

3624943

Update to Security Note released on August 2025 Patch Day:

[CVE-2025-42941Reverse Tabnabbing vulnerability in SAP Fiori (Launchpad)

Product - SAP Fiori (Launchpad)
Version - SAP_UI 754

Low

3.5

 

3525295

[CVE-2025-42927Information Disclosure due to Outdated OpenSSL Version in SAP NetWeaver AS Java (Adobe Document Service)

Product - SAP NetWeaver AS Java (Adobe Document Service)
Version - ADSSAP 7.50

Low

3.4

3632154

 

[CVE-2024-13009Potential Improper Resource Release vulnerability in SAP Commerce Cloud

Product - SAP Commerce Cloud
Version - HY_COM 2205, COM_CLOUD 2211

Low

3.1

1 new security note was released after the scheduled Monthly Patch Day. Additionally, 7 previously released security notes were updated.

3634501

Update to Security Note released on September 2025 Patch Day:

[CVE-2025-42944Insecure Deserialization vulnerability in SAP Netweaver (RMI-P4)

Product - SAP Netweaver (RMI-P4)

Version - SERVERCORE 7.50

Critical

10.0

3643865

Update to Security Note released on September 2025 Patch Day:

[CVE-2025-42922Insecure File Operations vulnerability in SAP NetWeaver AS Java (Deploy Web Service)

Product - SAP NetWeaver AS Java (Deploy Web Service)

Version - J2EE-APPS 7.50

Critical

9.9

3302162

Update to Security Note released on March 2023 Patch Day:

[CVE-2023-27500Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform

Product – SAP NetWeaver AS for ABAP and ABAP Platform

Version – 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757

Critical

9.6

3643832

Update to Security Note released on September 2025 Patch Day:

[CVE-2025-42917Missing Authorization check in SAP HCM (Approve Timesheets Fiori 2.0 application)

Product - SAP HCM (Approve Timesheets Fiori 2.0 application)

Version - GBX01HR5 605

Medium

6.5

3635587

Update to Security Note released on September 2025 Patch Day:

[CVE-2025-42912Missing Authorization check in SAP HCM (My Timesheet Fiori 2.0 application)
Additional CVE - CVE-2025-42913, CVE-2025-42914

Product - SAP HCM (My Timesheet Fiori 2.0 application)

Version - GBX01HR5 605

Medium

6.5

3409013

Update to Security Note released on September 2025 Patch Day:

[CVE-2025-42915Missing Authorization Check in Fiori app (Manage Payment Blocks)

Product - Fiori app (Manage Payment Blocks)

Version - S4CORE 107, 108

Medium

5.4

3623504

Update to Security Note released on September 2025 Patch Day:

[CVE-2025-42918Missing Authorization check in SAP NetWeaver Application Server for ABAP (Background Processing)

Product - SAP NetWeaver Application Server for ABAP (Background Processing)

Version - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816

Medium

4.3

3540622

[CVE-2025-42907Server-Side Request Forgery in SAP BI Platform

Product - SAP BI Platform

Version - ENTERPRISE 430, 2025, 2027

Medium

4.3

SAP Security Patch Day - October 2025

This post shares the information on security notes that remediate vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on priority to protect their SAP landscape.

On 14th of October 2025, SAP security patch day saw the release of 13 new security notes. Further, there were 4 updates to previously released security notes.

Note#

Title

Priority

CVSS

3660659

[CVE-2025-42944Security Hardening for Insecure Deserialization in SAP NetWeaver AS Java
Product - SAP NetWeaver AS Java
Version - SERVERCORE 7.50

Critical

10.0

3634501

Update to Security Note released on September 2025 Patch Day:

[CVE-2025-42944Insecure Deserialization vulnerability in SAP Netweaver (RMI-P4)
Product - SAP NetWeaver AS Java
Version - SERVERCORE 7.50

Critical

10.0

3630595

[CVE-2025-42937Directory Traversal vulnerability in SAP Print Service
Product - SAP Print Service
Versions - SAPSPRINT 8.00, 8.10

Critical

9.8

3647332

[CVE-2025-42910Unrestricted File Upload Vulnerability in SAP Supplier Relationship Management
Product - SAP Supplier Relationship Management
Versions - SRMNXP01 100, 150

Critical

9.0

3664466

[CVE-2025-5115Denial of service (DOS) in SAP Commerce Cloud (Search and Navigation)
Product - SAP Commerce Cloud
Versions - HY_COM 2205, COM_CLOUD 2211, 2211-JDK21

High

7.5

3658838

[CVE-2025-48913Security Misconfiguration vulnerability in SAP Data Hub Integration Suite
Product - SAP Data Hub Integration Suite
Version - CX_DATAHUB_INT_PACK 2205

High

7.1

3503138

Update to Security Note released on January 2025 Patch Day:

[CVE-2025-0059Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)
Product- SAP NetWeaver Application Server ABAP
Versions – KRNL64UC 7.53, KERNEL 7.53, 7.54, 7.77, 7.89, 7.93, 9.12, 9.14

Medium

6.0

3652788

[CVE-2025-42901Code Injection vulnerability in SAP Application Server for ABAP (BAPI Browser)
Product - SAP Application Server for ABAP
Versions - SAP_BASIS 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 816

Medium

5.4

3642021

[CVE-2025-42908Cross-Site Request Forgery (CSRF) vulnerability in SAP NetWeaver Application Server for ABAP
Product - SAP NetWeaver Application Server for ABAP
Versions - KRNL64UC 7.53, KERNEL 7.53, 7.54, 7.77, 7.89, 7.93, 9.16

Medium

5.4

3441087

Update to Security Note released on June 2025 Patch Day:

[CVE-2025-42984Missing Authorization check in SAP S/4HANA (Manage Central Purchase Contract application)
Product - SAP S/4HANA
Versions - S4CORE 106, 107, 108

Medium

5.4

3634724

[CVE-2025-42906Directory Traversal vulnerability in SAP Commerce Cloud
Product - SAP Commerce Cloud
Version - COM_CLOUD 2211

Medium

5.3

3627308

[CVE-2025-42902Memory Corruption vulnerability in SAP Netweaver AS ABAP and ABAP Platform
Product - SAP NetWeaver AS ABAP and ABAP Platform
Versions - KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 9.14, 9.15, 9.16

Medium

5.3

3625683

[CVE-2025-42939Missing Authorization Check in SAP S/4HANA (Manage Processing Rules - For Bank Statements)
Product - SAP S/4HANA
Versions - S4CORE 104, 105, 106, 107, 108, 109

Medium

4.3

3577131

Update to Security Note released on April 2025 Patch Day:

[CVE-2025-31331Authorization Bypass vulnerability in SAP NetWeaver
Product - SAP NetWeaver
Versions - SAP_ABA 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75D, 75E, 75F, 75G, 75H, 75I

Medium

4.3

3656781

[CVE-2025-42903User Enumeration and Sensitive Data Exposure via RFC Function in SAP Financial Service Claims Management

Product - SAP Financial Service Claims Management
Versions - INSURANCE 803, 804, 805, 806, S4CEXT 107, 108, 109

Medium

4.3

3617142

[CVE-2025-31672Deserialization Vulnerability in SAP BusinessObjects (Web Intelligence and Platform Search)
Product - SAP BusinessObjects
Versions - ENTERPRISE 430, 2025, 2027

Low

3.5

3643871

[CVE-2025-42909Security Misconfiguration vulnerability in SAP Cloud Appliance Library Appliances

Product - SAP Cloud Appliance Library Appliances
Version - TITANIUM_WEBAPP 4.0

Low

3.0

6 previously released security notes were updated after the scheduled monthly Patch Day.

3660659

Update to Security Note released on October 2025 Patch Day:

[CVE-2025-42944Security Hardening for Insecure Deserialization in SAP NetWeaver AS Java
Product - SAP NetWeaver AS Java
Version - SERVERCORE 7.50

Critical

10.0

3647332

Update to Security Note released on October 2025 Patch Day:

[CVE-2025-42910Unrestricted File Upload Vulnerability in SAP Supplier Relationship Management
Product - SAP Supplier Relationship Management
Versions - SRMNXP01 100, 150

Critical

9.0

3664466

Update to Security Note released on October 2025 Patch Day:

[CVE-2025-5115Denial of service (DOS) in SAP Commerce Cloud (Search and Navigation)
Product - SAP Commerce Cloud
Versions - HY_COM 2205, COM_CLOUD 2211, 2211-JDK21

High

7.5

3597355

Update to Security Note released on August 2025 Patch Day:

[CVE-2025-42942Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server for ABAP
Product - SAP NetWeaver Application Server for ABAP
Versions - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816, SAP_BASIS 914, SAP_BASIS 916

Medium

6.1

3627644

Update to Security Note released on September 2025 Patch Day:

[CVE-2025-42911Missing Authorization check in SAP NetWeaver (Service Data Download)
Product - SAP NetWeaver (Service Data Download)
Versions - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816

Medium

5.0

3617142

Update to Security Note released on October 2025 Patch Day:

[CVE-2025-31672Deserialization Vulnerability in SAP
BusinessObjects (Web Intelligence and Platform Search)
Product - SAP BusinessObjects
Versions - ENTERPRISE 430, 2025, 2027

Low

3.5

SAP Security Patch Day - November 2025

This post shares the information on security notes that remediate vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on priority to protect their SAP landscape.

On 11th of November 2025, SAP security patch day saw the release of 18 new security notes. Further, there were 2 updates to previously released security notes.

Note#

Title

Priority

CVSS

3666261

[CVE-2025-42890Insecure key & Secret Management vulnerability in SQL Anywhere Monitor (Non-Gui)
Product - SQL Anywhere Monitor (Non-Gui)
Version(s) -SYBASE_SQL_ANYWHERE_SERVER 17.0

Critical

10.0

3660659

Update to Security Note released on October 2025 Patch Day:

[CVE-2025-42944Security Hardening for Insecure Deserialization in SAP NetWeaver AS Java
Product - SAP NetWeaver AS Java
Version(s) - SERVERCORE 7.50

Critical

10.0

3668705

[CVE-2025-42887Code Injection vulnerability in SAP Solution Manager
Product - SAP Solution Manager
Version(s) - ST 720

Critical

9.9

3633049

[CVE-2025-42940Memory Corruption vulnerability in SAP CommonCryptoLib
Product - SAP CommonCryptoLib
Version(s) - CRYPTOLIB 8

High

7.5

3643385

[CVE-2025-42895Code Injection vulnerability in SAP HANA JDBC Client
Product - SAP HANA JDBC Client
Version(s) - HDB_CLIENT 2.0

Medium

6.9

3665900

[CVE-2025-42892OS Command Injection vulnerability in SAP Business Connector
Product - SAP Business Connector
Version(s) - SAP BC 4.8

Medium

6.8

3666038

[CVE-2025-42894Path Traversal vulnerability in SAP Business Connector
Product - SAP Business Connector
Version(s) - SAP BC 4.8

Medium

6.8

3660969

[CVE-2025-42884JNDI Injection vulnerability in SAP NetWeaver Enterprise Portal
Product - SAP NetWeaver Enterprise Portal
Version(s) - EP-BASIS 7.50, EP-RUNTIME 7.50

Medium

6.5

3642398

[CVE-2025-42924Open Redirect vulnerabilities in SAP S/4HANA landscape (SAP E-Recruiting BSP)
Product - SAP S/4HANA landscape (SAP E-Recruiting BSP)
Version(s) - S4ERECRT 100, 200, ERECRUIT 600, 603, 604, 605, 606, 616, 617, 800, 801, 802

Medium

6.1

3662000

[CVE-2025-42893Open Redirect vulnerability in SAP Business Connector
Product - SAP Business Connector
Version(s) - SAP BC 4.8

Medium

6.1

3665907

[CVE-2025-42886Reflected Cross-Site Scripting (XSS) vulnerability in SAP Business Connector
Product - SAP Business Connector
Version(s) - SAP BC 4.8

Medium

6.1

3639264

[CVE-2025-42885Missing authentication in SAP HANA 2.0 (hdbrss)
Product - SAP HANA 2.0 (hdbrss)
Version(s) - HDB 2.00

Medium

5.8

3651097

[CVE-2025-42888Information Disclosure vulnerability in SAP GUI for Windows
Product - SAP GUI for Windows
Version(s) - BC-FES-GUI 8.00, 8.10

Medium

5.5

2886616

[CVE-2025-42889SQL Injection vulnerability in SAP Starter Solution (PL SAFT)
Product - SAP Starter Solution (PL SAFT)
Version(s) - SAP_APPL 600, 602, 603, 604, 605, 606, 616, SAP_FIN 617, 618, 700, 720, 730, S4CORE 100, 101, 102, 103, 104

Medium

5.4

3643603

[CVE-2025-42919Information Disclosure vulnerability in SAP NetWeaver Application Server Java
Product - SAP NetWeaver Application Server Java
Version(s) - ENGINEAPI 7.50, EP-BASIS 7.50

Medium

5.3

3652901

[CVE-2025-42897Information Disclosure vulnerability in SAP Business One (SLD)
Product - SAP Business One (SLD)
Version(s) - B1_ON_HANA 10.0, SAP-M-BO 10.0

Medium

5.3

3530544

[CVE-2025-42899Missing Authorization check in SAP S4CORE (Manage Journal Entries)
Product - SAP S4CORE (Manage Journal Entries)
Version(s) - S4CORE 104, 105, 106, 107, 108

Medium

4.3

3643337

[CVE-2025-42882Missing Authorization check in SAP NetWeaver Application Server for ABAP
Product - SAP NetWeaver Application Server for ABAP
Version(s) - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816

Medium

4.3

3426825

Update to Security Note released on February 2025 Patch Day:

[CVE-2025-23191Cache Poisoning through header manipulation vulnerability in SAP Fiori for SAP ERP
Product – SAP Fiori for SAP ERP
Version(s) – SAP_GWFND 740, 750, 751, 752, 753, 754, 755, 756, 757, 758

Low3.1

3634053

[CVE-2025-42883Insecure File Operations vulnerability in SAP NetWeaver Application Server for ABAP (Migration Workbench)
Product - SAP NetWeaver Application Server for ABAP (Migration Workbench)
Version(s) - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816

Low

2.7

3 previously released security notes were updated after the scheduled monthly patch day.

Note#

Title

Priority

CVSS

3668705

Update to Security Note released on November 2025 Patch Day:

[CVE-2025-42887Code Injection vulnerability in SAP Solution Manager
Product - SAP Solution Manager
Version(s) - ST 720

Critical

9.9

3610322

Update to Security Note released on July 2025 Patch Day:
[CVE-2025-42961Missing Authorization check in SAP NetWeaver Application Server for ABAP
Product - SAP NetWeaver Application Server for ABAP
Version(s) – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816

Medium

4.9

3626440

Update to Security Note released on July 2025 Patch Day:

[CVE-2025-42986] Missing Authorization check in SAP NetWeaver and ABAP Platform

Product - SAP NetWeaver and ABAP Platform
Version(s) - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754

Medium

4.3

SAP Security Patch Day - December 2025

This post shares the information on security notes that remediate vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on priority to protect their SAP landscape.

On 9th of December 2025, SAP security patch day saw the release of 14 new security notes.

 

Note#

Title

Priority

CVSS

3685270

[CVE-2025-42880Code Injection vulnerability in SAP Solution Manager
Product - SAP Solution Manager
Version(s) - ST 720

Critical

9.9

3683579

[CVE-2025-55754Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud
Related CVE - CVE-2025-55752
Product - SAP Commerce Cloud
Version(s) - HY_COM 2205, COM_CLOUD 2211, COM_CLOUD 2211-JDK21

Critical

9.6

3685286

[CVE-2025-42928Deserialization Vulnerability in SAP jConnect - SDK for ASE
Product - SAP jConnect - SDK for ASE
Version(s) - SYBASE_SOFTWARE_DEVELOPER_KIT 16.0.4, 16.1

Critical

9.1

3684682

[CVE-2025-42878Sensitive Data Exposure in SAP Web Dispatcher and Internet Communication Manager (ICM)
Product - SAP Web Dispatcher and Internet Communication Manager (ICM)
Version(s) - KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, WEBDISP 7.22_EXT, 7.53, 7.54, 7.77, 7.89, 7.93, 9.16, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 9.16

High

8.2

3640185

[CVE-2025-42874Denial of service (DOS) in SAP NetWeaver (remote service for Xcelsius)
Product - SAP NetWeaver (remote service for Xcelsius)
Version(s) - BI-BASE-E 7.50, BI-BASE-B 7.50, BI-IBC 7.50, BI-BASE-S 7.50, BIWEBAPP 7.50

High

7.9

3650226

[CVE-2025-48976Denial of service (DOS) in SAP Business Objects
Product - SAP Business Objects
Version(s) – ENTERPRISE 430, 2025, 2027

High

7.5

3677544

[CVE-2025-42877Memory Corruption vulnerability in SAP Web Dispatcher, Internet Communication Manager and SAP Content Server
Product - SAP Web Dispatcher, Internet Communication Manager and SAP Content Server
Version(s) - KRNL64UC 7.53, WEBDISP 7.53, 7.54, XS_ADVANCED_RUNTIME 1.00, SAP_EXTENDED_APP_SERVICES 1, CONTSERV 7.53, 7.54, KERNEL 7.53, 7.54

High

7.5

3672151

[CVE-2025-42876Missing Authorization Check in SAP S/4 HANA Private Cloud (Financials General Ledger)
Product - SAP S/4 HANA Private Cloud (Financials General Ledger)
Version(s) - S4CORE 104, 105, 106, 107, 108, 109

High

7.1

3591163

[CVE-2025-42875Missing Authentication check in SAP NetWeaver Internet Communication Framework
Product - SAP NetWeaver Internet Communication Framework
Version(s) - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758

Medium

6.6

3662324

[CVE-2025-42904Information Disclosure vulnerability in Application Server ABAP
Product - Application Server ABAP
Version(s) - KRNL64UC 7.53, KERNEL 7.53, 7.54, 7.77, 7.89, 7.93, 9.16, 9.17

Medium

6.5

3662622

[CVE-2025-42872Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
Product - SAP NetWeaver Enterprise Portal
Version(s) - EP-RUNTIME 7.50

Medium

6.1

3676970

[CVE-2025-42873Denial of Service (DoS) in SAPUI5 framework (Markdown-it component)
Product - SAPUI5 framework (Markdown-it component)
Version(s) - SAP_UI 755, 756, 757, 758

Medium

5.9

3659117

[CVE-2025-42891Missing Authorization check in SAP Enterprise Search for ABAP
Product - SAP Enterprise Search for ABAP
Version(s) - SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816

Medium

5.5

3651390

[CVE-2025-42896Server-Side Request Forgery (SSRF) in SAP BusinessObjects Business Intelligence Platform
Product - SAP BusinessObjects Business Intelligence Platform
Version(s) - ENTERPRISE 430, 2025, 2027

Medium

5.4

2 previously released security notes were updated after the scheduled monthly patch day.

3683579

Update to Security Note released on December 2025 Patch Day:

[CVE-2025-55754Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud
Related CVE - CVE-2025-55752
Product - SAP Commerce Cloud
Version(s) - HY_COM 2205, COM_CLOUD 2211, COM_CLOUD 2211-JDK21

Critical

9.6

3685286

Update to Security Note released on December 2025 Patch Day:

[CVE-2025-42928Deserialization Vulnerability in SAP jConnect - SDK for ASE
Product - SAP jConnect - SDK for ASE
Version(s) - SYBASE_SOFTWARE_DEVELOPER_KIT 16.0.4, 16.1

Critical

9.1

To know more about the security researchers and research companies who have contributed for security patches of this month, visit here.
SAP is committed to delivering trustworthy products and cloud services. Secure configuration is essential to ensuring secure operation and data integrity. We have therefore documented security recommendations that are consolidated in this document to help you configure the best security for your SAP portfolio.
Archived blogs from previous years are available here.
If you have any comments or feedback about this post, you can write to secure@sap.com.