SAP has released its August 2025 security patch package containing 19 security notes addressing critical vulnerabilities across enterprise SAP environments. This release includes three HotNews vulnerabilities with maximum CVSS 9.9 ratings, two High priority issues, twelve Medium priority fixes, and two Low priority updates. The patches affect S/4HANA, NetWeaver AS ABAP, SAP GUI, Fiori, Cloud Connector and SAP Business One.
19
3
2
12
2
🎯 Executive Summary
- Critical Code Execution Vulnerabilities: Three HotNews vulnerabilities (CVE-2025-42950, CVE-2025-42957, CVE-2025-27429) with CVSS 9.9 require immediate emergency patching across Analysis Platform and S/4HANA.
- Authorization Control Failures: Several authorization bypass issues in Business One SLD and NetWeaver AS ABAP BIC Document components.
- Common Attack Vectors: Insufficient authorization, XSS, HTML injection, information disclosure, directory traversal, CRLF injection, reverse tabnabbing.
🚨 Critical HotNews Vulnerabilities
Remote Code Execution in Analysis Platform
Authenticated attackers with minimal privileges can execute arbitrary OS commands, leading to full system compromise.
Code Injection in S/4HANA Private Cloud Environment
Exploitation enables remote attackers to execute malicious code, compromising confidentiality, integrity and availability across connected environments.
Legacy Code Injection Vulnerability (Updated Patch)
Previously disclosed in April 2025; updated patch released August 2025.
⚠️ High Priority Security Issues
Authorization Bypass in Business One SLD
Low-privileged users can perform administrative operations and access sensitive data.
Multiple Security Flaws in BIC Document Component
Unauthorized access to financial reporting data and potential service disruption.
🔸 Medium Priority Vulnerabilities
Directory Traversal in Bank Communication Management
Path traversal allows access to sensitive banking files.
Cross-Site Scripting in CRM Business Framework
Reflected XSS can compromise user sessions.
HTML Injection in SAP GUI Web Interface
Malicious markup can manipulate web interface rendering.
Information Disclosure in GUI HTML Component
Local privileged users can read sensitive data.
Authorization Bypass in Enterprise Portal Navigation
Unauthenticated users can modify portal navigation elements.
Authorization Control Gap in ABAP Platform
High-privilege users can read sensitive configuration data.
Information Disclosure in SAP GUI Windows Client
Sensitive system data may leak through GUI interface.
CRLF Injection in Document Management Service
Authenticated users can manipulate HTTP headers.
Authorization Bypass in NetWeaver Test Suite
Low-privilege users can access restricted test info.
Open Redirect in Mobile Services API
Users may be redirected to malicious external sites.
XML External Entity Issue in PI Adapter
Improper XML parsing could disclose internal files.
Cross-Site Request Forgery in BPC Web Admin
CSRF could alter administrative settings.
🔹 Low Priority Security Updates
Authorization Gap in Cloud Connector
Local users may cause limited service disruption.
Reverse Tabnabbing in Fiori Launchpad
High-privilege users could be exposed to phishing via hijacked tabs.
