Skip links
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

SAP Security Patch Day – April 2025

On April 8, 2025, SAP released its monthly Security Patch Day updates, addressing 19 new vulnerabilities across various SAP products and components. This month's release includes 3 HotNews notes (CVSS score ≥ 9.0) and 6 High Priority notes (CVSS score ≥ 7.0), making it a particularly critical update cycle for SAP administrators.

Critical Vulnerabilities (HotNews)

CVE-2025-31330: Code Injection Vulnerability in SAP Landscape Transformation

CVSS Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

Affected Component: SAP Landscape Transformation (Analysis Platform)

Description: A critical code injection vulnerability that could allow an attacker with low privileges to execute arbitrary code. The remotely exploitable nature and low complexity make this a severe threat to confidentiality, integrity, and availability of affected systems.

Priority: HotNews

Recommendation: Apply patch immediately as this vulnerability can be exploited remotely with minimal effort.

CVE-2025-27429: Code Injection Vulnerability in SAP S/4HANA

CVSS Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

Affected Component: SAP S/4HANA (Private Cloud)

Description: This critical vulnerability allows attackers with low privileges to inject malicious code into the system, potentially leading to complete system compromise.

Priority: HotNews

Recommendation: Immediate patching is essential to prevent remote exploitation that could lead to unauthorized access and data breaches.

CVE-2025-30016: Authentication Bypass Vulnerability in SAP Financial Consolidation

CVSS Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Component: SAP Financial Consolidation

Description: A severe authentication bypass vulnerability that allows unauthenticated attackers to gain complete access to the system without requiring user interaction.

Priority: HotNews

Recommendation: This vulnerability must be patched immediately as it can be exploited by unauthenticated users over the network with minimal complexity.

High-Priority Vulnerabilities

CVE-2024-56337: TOCTOU Race Condition in Apache Tomcat within SAP Commerce Cloud

CVSS Score: 8.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Component: Apache Tomcat within SAP Commerce Cloud

Description: A Time-of-check Time-of-use race condition vulnerability that could allow unauthenticated remote attackers to compromise system security.

Priority: Correction with high priority

Recommendation: Apply the security patch promptly to mitigate potential exploitation of this vulnerability.

CVE-2025-0064: Improper Authorization in SAP BusinessObjects BI Platform

CVSS Score: 8.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

Affected Component: SAP BusinessObjects Business Intelligence platform

Description: An improper authorization vulnerability that allows local attackers with low privileges to gain unauthorized access to sensitive data and functionality.

Priority: Correction with high priority

Recommendation: Implement the provided patch to ensure proper authorization controls are in place.

CVE-2025-23186: Mixed Dynamic RFC Destination Vulnerability

CVSS Score: 8.5 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)

Affected Component: SAP NetWeaver Application Server ABAP (Remote Function Call)

Description: This vulnerability in RFC could allow attackers to exploit dynamic destination handling, potentially leading to unauthorized access and data manipulation.

Priority: Correction with high priority

Recommendation: Apply the provided security note to address the vulnerability in RFC destinations.

CVE-2025-27428: Directory Traversal in SAP NetWeaver and ABAP Platform

CVSS Score: 7.7 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)

Affected Component: SAP NetWeaver and ABAP Platform (Service Data Collection)

Description: A directory traversal vulnerability that could allow attackers to access files and directories outside the intended scope, potentially exposing sensitive information.

Priority: Correction with high priority

Recommendation: Update affected systems promptly to prevent unauthorized access to sensitive files.

CVE-2025-30014: Directory Traversal in SAP Capital Yield Tax Management

CVSS Score: 7.7 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)

Affected Component: SAP Capital Yield Tax Management

Description: Similar to CVE-2025-27428, this directory traversal vulnerability could expose critical financial data to unauthorized users.

Priority: Correction with high priority

Recommendation: Apply the security update to prevent potential data breaches in financial systems.

Medium-Priority Vulnerabilities

CVE-2025-30013: Code Injection in SAP ERP BW Business Content

CVSS Score: 6.7 (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

Affected Component: SAP ERP BW Business Content

Description: A code injection vulnerability that requires local access and high privileges but could lead to significant system compromise if exploited.

Priority: Correction with medium priority

CVE-2025-31332: Insecure File Permissions in SAP BusinessObjects BI Platform

CVSS Score: 6.6 (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H)

Affected Component: SAP BusinessObjects Business Intelligence Platform

Description: Insecure file permissions could allow attackers with local access to modify system files, potentially leading to integrity and availability issues.

Priority: Correction with medium priority

CVE-2025-26654: Information Disclosure in SAP Commerce Cloud

CVSS Score: 6.8 (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

Affected Component: SAP Commerce Cloud (Public Cloud)

Description: A potential information disclosure vulnerability that could expose sensitive data to unauthenticated attackers who can access the system via adjacent networks.

Priority: Correction with medium priority

CVE-2025-26657: Information Disclosure in SAP KMC WPC

CVSS Score: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Component: SAP KMC WPC

Description: An information disclosure vulnerability that could allow unauthenticated attackers to access limited sensitive information.

Priority: Correction with medium priority

CVE-2025-26653: Cross-Site Scripting in SAP NetWeaver AS ABAP

CVSS Score: 4.7 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Component: SAP NetWeaver Application Server ABAP (GUI for HTML)

Description: An XSS vulnerability that could allow attackers to inject malicious scripts, potentially leading to session hijacking or credential theft.

Priority: Correction with medium priority

CVE-2025-31331: Authorization Bypass in SAP NetWeaver

CVSS Score: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Affected Component: SAP NetWeaver

Description: An authorization bypass vulnerability that could allow attackers with low privileges to access information they shouldn't be able to.

Priority: Correction with medium priority

CVE-2025-27437: Missing Authorization Check in SAP NetWeaver AS ABAP

CVSS Score: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Affected Component: SAP NetWeaver Application Server ABAP (Virus Scan Interface)

Description: A missing authorization check that could allow attackers with low privileges to access restricted information.

Priority: Correction with medium priority

CVE-2025-31333: Odata Meta-data Tampering in SAP S4CORE

CVSS Score: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

Affected Component: SAP S4CORE entity

Description: This vulnerability allows attackers to tamper with Odata meta-data, potentially affecting data integrity.

Priority: Correction with medium priority

CVE-2025-30017: Missing Authorization Check in SAP Solution Manager

CVSS Score: 4.4 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L)

Affected Component: SAP Solution Manager

Description: A missing authorization check that requires local access and could lead to minor integrity and availability issues.

Priority: Correction with medium priority

CVE-2025-30015: Memory Corruption in SAP NetWeaver and ABAP Platform

CVSS Score: 4.1 (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L)

Affected Component: SAP NetWeaver and ABAP Platform (Application Server ABAP)

Description: A memory corruption vulnerability that requires high privileges and complex attack scenarios to exploit.

Priority: Correction with medium priority

CVE-2025-27435: Information Disclosure in SAP Commerce Cloud

CVSS Score: 4.2 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N)

Affected Component: SAP Commerce Cloud

Description: An information disclosure vulnerability that requires user interaction and complex attack vectors to exploit.

Priority: Correction with medium priority

Explore More

SAP Security Training

Discover vulnerabilities through the eyes of an attacker In today’s digital landscape, SAP systems form the backbone of critical business operations for

SAP Security Patch Day RedRays

SAP Security Patch Day – May 2025

On May 13, 2025, SAP released its monthly Security Patch Day updates, addressing 18 new vulnerabilities across various SAP products and components.

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.