On April 8, 2025, SAP released its monthly Security Patch Day updates, addressing 19 new vulnerabilities across various SAP products and components. This month's release includes 3 HotNews notes (CVSS score ≥ 9.0) and 6 High Priority notes (CVSS score ≥ 7.0), making it a particularly critical update cycle for SAP administrators.
Critical Vulnerabilities (HotNews)
CVE-2025-31330: Code Injection Vulnerability in SAP Landscape Transformation
CVSS Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
Affected Component: SAP Landscape Transformation (Analysis Platform)
Description: A critical code injection vulnerability that could allow an attacker with low privileges to execute arbitrary code. The remotely exploitable nature and low complexity make this a severe threat to confidentiality, integrity, and availability of affected systems.
Priority: HotNews
Recommendation: Apply patch immediately as this vulnerability can be exploited remotely with minimal effort.
CVE-2025-27429: Code Injection Vulnerability in SAP S/4HANA
CVSS Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
Affected Component: SAP S/4HANA (Private Cloud)
Description: This critical vulnerability allows attackers with low privileges to inject malicious code into the system, potentially leading to complete system compromise.
Priority: HotNews
Recommendation: Immediate patching is essential to prevent remote exploitation that could lead to unauthorized access and data breaches.
CVE-2025-30016: Authentication Bypass Vulnerability in SAP Financial Consolidation
CVSS Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Component: SAP Financial Consolidation
Description: A severe authentication bypass vulnerability that allows unauthenticated attackers to gain complete access to the system without requiring user interaction.
Priority: HotNews
Recommendation: This vulnerability must be patched immediately as it can be exploited by unauthenticated users over the network with minimal complexity.
High-Priority Vulnerabilities
CVE-2024-56337: TOCTOU Race Condition in Apache Tomcat within SAP Commerce Cloud
CVSS Score: 8.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Component: Apache Tomcat within SAP Commerce Cloud
Description: A Time-of-check Time-of-use race condition vulnerability that could allow unauthenticated remote attackers to compromise system security.
Priority: Correction with high priority
Recommendation: Apply the security patch promptly to mitigate potential exploitation of this vulnerability.
CVE-2025-0064: Improper Authorization in SAP BusinessObjects BI Platform
CVSS Score: 8.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
Affected Component: SAP BusinessObjects Business Intelligence platform
Description: An improper authorization vulnerability that allows local attackers with low privileges to gain unauthorized access to sensitive data and functionality.
Priority: Correction with high priority
Recommendation: Implement the provided patch to ensure proper authorization controls are in place.
CVE-2025-23186: Mixed Dynamic RFC Destination Vulnerability
CVSS Score: 8.5 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)
Affected Component: SAP NetWeaver Application Server ABAP (Remote Function Call)
Description: This vulnerability in RFC could allow attackers to exploit dynamic destination handling, potentially leading to unauthorized access and data manipulation.
Priority: Correction with high priority
Recommendation: Apply the provided security note to address the vulnerability in RFC destinations.
CVE-2025-27428: Directory Traversal in SAP NetWeaver and ABAP Platform
CVSS Score: 7.7 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)
Affected Component: SAP NetWeaver and ABAP Platform (Service Data Collection)
Description: A directory traversal vulnerability that could allow attackers to access files and directories outside the intended scope, potentially exposing sensitive information.
Priority: Correction with high priority
Recommendation: Update affected systems promptly to prevent unauthorized access to sensitive files.
CVE-2025-30014: Directory Traversal in SAP Capital Yield Tax Management
CVSS Score: 7.7 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)
Affected Component: SAP Capital Yield Tax Management
Description: Similar to CVE-2025-27428, this directory traversal vulnerability could expose critical financial data to unauthorized users.
Priority: Correction with high priority
Recommendation: Apply the security update to prevent potential data breaches in financial systems.
Medium-Priority Vulnerabilities
CVE-2025-30013: Code Injection in SAP ERP BW Business Content
CVSS Score: 6.7 (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Affected Component: SAP ERP BW Business Content
Description: A code injection vulnerability that requires local access and high privileges but could lead to significant system compromise if exploited.
Priority: Correction with medium priority
CVE-2025-31332: Insecure File Permissions in SAP BusinessObjects BI Platform
CVSS Score: 6.6 (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H)
Affected Component: SAP BusinessObjects Business Intelligence Platform
Description: Insecure file permissions could allow attackers with local access to modify system files, potentially leading to integrity and availability issues.
Priority: Correction with medium priority
CVE-2025-26654: Information Disclosure in SAP Commerce Cloud
CVSS Score: 6.8 (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
Affected Component: SAP Commerce Cloud (Public Cloud)
Description: A potential information disclosure vulnerability that could expose sensitive data to unauthenticated attackers who can access the system via adjacent networks.
Priority: Correction with medium priority
CVE-2025-26657: Information Disclosure in SAP KMC WPC
CVSS Score: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Component: SAP KMC WPC
Description: An information disclosure vulnerability that could allow unauthenticated attackers to access limited sensitive information.
Priority: Correction with medium priority
CVE-2025-26653: Cross-Site Scripting in SAP NetWeaver AS ABAP
CVSS Score: 4.7 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N)
Affected Component: SAP NetWeaver Application Server ABAP (GUI for HTML)
Description: An XSS vulnerability that could allow attackers to inject malicious scripts, potentially leading to session hijacking or credential theft.
Priority: Correction with medium priority
CVE-2025-31331: Authorization Bypass in SAP NetWeaver
CVSS Score: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Affected Component: SAP NetWeaver
Description: An authorization bypass vulnerability that could allow attackers with low privileges to access information they shouldn't be able to.
Priority: Correction with medium priority
CVE-2025-27437: Missing Authorization Check in SAP NetWeaver AS ABAP
CVSS Score: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Affected Component: SAP NetWeaver Application Server ABAP (Virus Scan Interface)
Description: A missing authorization check that could allow attackers with low privileges to access restricted information.
Priority: Correction with medium priority
CVE-2025-31333: Odata Meta-data Tampering in SAP S4CORE
CVSS Score: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
Affected Component: SAP S4CORE entity
Description: This vulnerability allows attackers to tamper with Odata meta-data, potentially affecting data integrity.
Priority: Correction with medium priority
CVE-2025-30017: Missing Authorization Check in SAP Solution Manager
CVSS Score: 4.4 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L)
Affected Component: SAP Solution Manager
Description: A missing authorization check that requires local access and could lead to minor integrity and availability issues.
Priority: Correction with medium priority
CVE-2025-30015: Memory Corruption in SAP NetWeaver and ABAP Platform
CVSS Score: 4.1 (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L)
Affected Component: SAP NetWeaver and ABAP Platform (Application Server ABAP)
Description: A memory corruption vulnerability that requires high privileges and complex attack scenarios to exploit.
Priority: Correction with medium priority
CVE-2025-27435: Information Disclosure in SAP Commerce Cloud
CVSS Score: 4.2 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N)
Affected Component: SAP Commerce Cloud
Description: An information disclosure vulnerability that requires user interaction and complex attack vectors to exploit.
Priority: Correction with medium priority
