SAP セキュリティパッチデー 2025 年 2 月

このページでは、SAP 製品で発見された脆弱性を改善するセキュリティノートに関する情報を共有しています。SAP は、Support Portal にアクセスし SAP ランドスケープを保護するために優先的にパッチを適用することを強くお奨めします。

2025 年 2 月 11 日に、SAP セキュリティパッチデーに 19 の新しいセキュリティノートがリリースされました。さらに、以前にリリースされたセキュリティノートに対する 2 つの更新がありました。

Note#

Title

Priority

CVSS

3417627

Update to Security Note released on February 2024 Patch Day:

[CVE-2024-22126] Cross Site Scripting vulnerability in NetWeaver AS Java (User Admin Application)

Product- SAP NetWeaver AS Java (User Admin Application), Version – 7.50

High

8.8

3525794

[CVE-2025-0064] Improper Authorization in SAP BusinessObjects Business Intelligence platform (Central Management Console)

Product- SAP BusinessObjects Business Intelligence platform (Central Management Console), Versions – ENTERPRISE 430, 2025

High

8.7

3567551

[CVE-2025-25243] Path traversal vulnerability in SAP Supplier Relationship Management (Master Data Management Catalog)
Product - SAP Supplier Relationship Management (Master Data Management Catalog), Version - SRM_MDM_CAT 7.52

High

8.6

3567974

[CVE-2025-24876] Authentication bypass via authorization code injection in SAP Approuter
Library - @sap/approuter, Version - 2.6.1 to 16.7.1

High

8.1

3567172

[CVE-2024-38819] Multiple vulnerabilities in SAP Enterprise Project Connection

Related CVEs -  CVE-2024-38820, CVE-2024-38828
Product - SAP Enterprise Project Connection, Version – 3.0

High

7.5

3563929

[CVE-2025-24868] Open Redirect Vulnerability in SAP HANA extended application services, advanced model (User Account and Authentication Services)
Product - SAP HANA extended application services, advanced model (User Account and Authentication Services), Version - SAP_EXTENDED_APP_SERVICES 1

High

7.1

3555364

[CVE-2025-24875] SameSite Defense in Depth not applied for some cookies in SAP Commerce

Product- SAP Commerce, Versions – HY_COM 2205, COM_CLOUD 2211

Medium

6.8

3559510

[CVE-2025-24874] Missing Defense in Depth Against Clickjacking in SAP Commerce (Backoffice)

Product – SAP Commerce (Backoffice), Version – HY_COM 2205, COM_CLOUD 2211

Medium

6.8

3557138

Update 1 to Security Note 3417627 - [CVE-2024-22126] Cross Site Scripting vulnerability in NetWeaver AS Java (User Admin Application)

Product- SAP NetWeaver AS Java (User Admin Application), Version – 7.50

Medium

6.1

3445708

[CVE-2025-24867] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform (BI Launchpad)

Product- SAP BusinessObjects Platform (BI Launchpad), Version – ENTERPRISE 430, 2025

Medium

6.1

3562336

[CVE-2025-24870] Insecure Key & Secret Management vulnerability in SAP GUI for Windows

Product- SAP GUI for Windows, Version – BC-FES-GUI 8.00

Medium

6.0

3540273

Multiple vulnerabilities in Apache Solr within SAP Commerce Cloud

Related CVEs -  CVE-2024-45216, CVE-2024-45217
Product - SAP Commerce Cloud,

Versions – HY_COM 2205, COM_CLOUD 2211

Medium

5.5

3526203

[CVE-2025-0054] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server Java

Product- SAP NetWeaver Application Server Java, Versions – EP-BASIS 7.50, FRAMEWORK-EXT 7.50

Medium

5.4

3532025

[CVE-2025-25241] Missing Authorization check in SAP Fiori Apps Reference Library (My Overtime Requests)

Product- SAP Fiori Apps Reference Library (My Overtime Requests), Version – GBX01HR5 605

Medium

5.4

3546470

[CVE-2025-23187] Missing Authorization Check in SAP NetWeaver and ABAP Platform (SDCCN)

Related CVE -  CVE-2025-23189

Product- SAP NetWeaver and ABAP Platform (SDCCN), Versions – ST-PI 2008_1_700, ST-PI 2008_1_710, ST-PI 740

Medium

5.3

3561264

[CVE-2025-23193] Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP

Product- SAP NetWeaver Server ABAP, Versions – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758

Medium

5.3

3287784

Update to Security Note released on April 2023 Patch Day:

[CVE-2023-24527] Improper Access Control in SAP NetWeaver AS Java for Deploy Service

Product- SAP NetWeaver AS Java for Deploy Service, Version – ENGINEAPI 7.50, SERVERCORE 7.50

Medium

5.3

3550027

[CVE-2025-24869] Information Disclosure vulnerability in SAP NetWeaver Application Server Java
Product - SAP NetWeaver Application Server Java, Version - WD-RUNTIME 7.50

Medium

4.3

3553753

[CVE-2025-24872] Missing Authorization check in SAP ABAP Platform (ABAP Build Framework)
Product - SAP ABAP Platform (ABAP Build Framework), Versions - SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758

Medium

4.3

3547581

[CVE-2025-23190] Missing Authorization check in SAP NetWeaver and ABAP platform (ST-PI)
Product - SAP NetWeaver and ABAP platform (ST-PI), Version - ST-PI 2008_1_700, ST-PI 2008_1_710, ST-PI 740

Medium

4.3

3426825

[CVE-2025-23191] Cache Poisoning through header manipulation vulnerability in SAP Fiori for SAP ERP
Product - SAP Fiori for SAP ERP, Version - SAP_GWFND 740, 750, 751, 752, 753, 754, 755, 756, 757, 758

Low

3.1

今月のセキュリティパッチを提供してきたセキュリティ研究者や調査会社の詳細については、こちらをご覧ください。
SAP は、信頼できる製品とクラウドサービスの提供に尽力しています。安全な運用とデータの完全性を確保するには、安全な設定が不可欠です。そのため、SAP ポートフォリオに最適なセキュリティを設定できるように、この文書に統合されたセキュリティ推奨事項が文書化されています。
過去のアーカイブブログは、こちらからご覧いただけます。
このページに関するコメントまたはフィードバックがある場合は secure@sap.com 宛にご連絡ください。(お問い合わせは英語でお願いいたします。)