-
Non-Product Related Assistance
Request for existing cases, user IDs, Portal navigation support and more
SAP Security Patch Day - February 2025
This post shares the information on Security Notes that remediate vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on priority to protect their SAP landscape.
On 11th of February 2025, SAP Security Patch Day saw the release of 19 new Security Notes. Further, there were 2 updates to previously released Security Notes.
Note# | Title | Priority | CVSS |
|---|---|---|---|
Update to Security Note released on February 2024 Patch Day: [CVE-2024-22126] Cross Site Scripting vulnerability in NetWeaver AS Java (User Admin Application) Product- SAP NetWeaver AS Java (User Admin Application), Version – 7.50 | High | ||
[CVE-2025-0064] Improper Authorization in SAP BusinessObjects Business Intelligence platform (Central Management Console) Product- SAP BusinessObjects Business Intelligence platform (Central Management Console), Versions – ENTERPRISE 430, 2025 | High | ||
[CVE-2025-25243] Path traversal vulnerability in SAP Supplier Relationship Management (Master Data Management Catalog) | High | ||
[CVE-2025-24876] Authentication bypass via authorization code injection in SAP Approuter | High | ||
[CVE-2024-38819] Multiple vulnerabilities in SAP Enterprise Project Connection Related CVEs - CVE-2024-38820, CVE-2024-38828 | High | ||
[CVE-2025-24868] Open Redirect Vulnerability in SAP HANA extended application services, advanced model (User Account and Authentication Services) | High | ||
[CVE-2025-24875] SameSite Defense in Depth not applied for some cookies in SAP Commerce Product- SAP Commerce, Versions – HY_COM 2205, COM_CLOUD 2211 | Medium | ||
[CVE-2025-24874] Missing Defense in Depth Against Clickjacking in SAP Commerce (Backoffice) Product – SAP Commerce (Backoffice), Version – HY_COM 2205, COM_CLOUD 2211 | Medium | ||
Update 1 to Security Note 3417627 - [CVE-2024-22126] Cross Site Scripting vulnerability in NetWeaver AS Java (User Admin Application) Product- SAP NetWeaver AS Java (User Admin Application), Version – 7.50 | Medium | ||
[CVE-2025-24867] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform (BI Launchpad) Product- SAP BusinessObjects Platform (BI Launchpad), Version – ENTERPRISE 430, 2025 | Medium | ||
[CVE-2025-24870] Insecure Key & Secret Management vulnerability in SAP GUI for Windows Product- SAP GUI for Windows, Version – BC-FES-GUI 8.00 | Medium | ||
Multiple vulnerabilities in Apache Solr within SAP Commerce Cloud Related CVEs - CVE-2024-45216, CVE-2024-45217 Versions – HY_COM 2205, COM_CLOUD 2211 | Medium | ||
[CVE-2025-0054] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server Java Product- SAP NetWeaver Application Server Java, Versions – EP-BASIS 7.50, FRAMEWORK-EXT 7.50 | Medium | ||
[CVE-2025-25241] Missing Authorization check in SAP Fiori Apps Reference Library (My Overtime Requests) Product- SAP Fiori Apps Reference Library (My Overtime Requests), Version – GBX01HR5 605 | Medium | ||
[CVE-2025-23187] Missing Authorization Check in SAP NetWeaver and ABAP Platform (SDCCN) Related CVE - CVE-2025-23189 Product- SAP NetWeaver and ABAP Platform (SDCCN), Versions – ST-PI 2008_1_700, ST-PI 2008_1_710, ST-PI 740 | Medium | ||
[CVE-2025-23193] Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP Product- SAP NetWeaver Server ABAP, Versions – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758 | Medium | ||
Update to Security Note released on April 2023 Patch Day: [CVE-2023-24527] Improper Access Control in SAP NetWeaver AS Java for Deploy Service Product- SAP NetWeaver AS Java for Deploy Service, Version – ENGINEAPI 7.50, SERVERCORE 7.50 | Medium | ||
[CVE-2025-24869] Information Disclosure vulnerability in SAP NetWeaver Application Server Java | Medium | ||
[CVE-2025-24872] Missing Authorization check in SAP ABAP Platform (ABAP Build Framework) | Medium | ||
[CVE-2025-23190] Missing Authorization check in SAP NetWeaver and ABAP platform (ST-PI) | Medium | ||
[CVE-2025-23191] Cache Poisoning through header manipulation vulnerability in SAP Fiori for SAP ERP | Low |
To know more about the security researchers and research companies who have contributed for security patches of this month, visit here.
SAP is committed to delivering trustworthy products and cloud services. Secure configuration is essential to ensuring secure operation and data integrity. We have therefore documented security recommendations that are consolidated in this document to help you configure the best security for your SAP portfolio.
Archived blogs from previous years are available here.
If you have any comments or feedback about this post, you can write to secure@sap.com.