Skip links
RedRays - Your SAP Security Solution
Picture of Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

SAP Security on Udemy

SAP Security Patch Day – August 2025

SAP has released its August 2025 security patch package containing 19 security notes addressing critical vulnerabilities across enterprise SAP environments. This release includes three HotNews vulnerabilities with maximum CVSS 9.9 ratings, two High priority issues, twelve Medium priority fixes, and two Low priority updates. The security patches affect core components including SAP S/4HANA (LT/DT modules), NetWeaver AS ABAP (ICF/ICM), SAP GUI (Windows/HTML), Fiori Launchpad, SAP Cloud Connector, and SAP Business One (SLD).

Total Security Notes
19
HotNews Critical
3
High Priority
2
Medium Priority
12
Low Priority
2

🎯 Executive Summary

  • Critical Code Execution Vulnerabilities: Three HotNews vulnerabilities (CVE-2025-42950, CVE-2025-42957, CVE-2025-27429) with CVSS 9.9 ratings require immediate emergency patching across Analysis Platform and SAP S/4HANA environments.
  • Authorization Control Failures: Multiple high-impact authorization bypass vulnerabilities in SAP Business One SLD and NetWeaver AS ABAP BIC Document components pose significant security risks.
  • Common Attack Vectors: Prevalent security weaknesses include insufficient authorization controls, cross-site scripting (XSS), HTML injection attacks, information disclosure, directory traversal, CRLF injection, and reverse tabnabbing vulnerabilities.

🚨 Critical HotNews Vulnerabilities

Remote Code Execution in Analysis Platform

9.9 CVE-2025-42950 CA-LT-ANA Code Injection
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Critical remote code execution vulnerability in SAP Analysis Platform allowing authenticated attackers with minimal privileges to execute arbitrary system commands with elevated permissions, potentially leading to complete system compromise.
SAP Note 3633838 — Deploy emergency patch immediately within 48 hours

Code Injection in S/4HANA Private Cloud Environment

9.9 CVE-2025-42957 CA-DT-ANA Code Injection
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Severe code injection vulnerability in SAP S/4HANA Private Cloud and On-Premise Data Transformation Analytics module. Exploitation enables remote attackers to execute malicious code, compromising data confidentiality, system integrity, and service availability across connected environments.
SAP Note 3627998 — Critical patch deployment required immediately

Legacy Code Injection Vulnerability (Updated Patch)

9.9 CVE-2025-27429 CA-LT-ANA Code Injection
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Previously identified critical vulnerability (originally disclosed April 2025) with updated security patch in August release. This code injection flaw in Live Analytics component requires immediate attention to prevent continued exploitation risks.
SAP Note 3581961 — Verify patch installation (Updated: August 12, 2025)

⚠️ High Priority Security Issues

Authorization Bypass in Business One SLD

8.8 CVE-2025-42951 SBO-BC-SLD Broken Authorization
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Fundamental authorization control failure in SAP Business One System Landscape Directory (SLD) component. Low-privileged authenticated users can bypass security controls to perform administrative operations, potentially accessing sensitive business data and modifying critical system configurations.
SAP Note 3625403 — Schedule deployment within 14-day maintenance window

Multiple Security Flaws in BIC Document Component

8.1 CVE-2025-42976 FIN-SEM-CPM Multiple Vulnerabilities
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Complex security vulnerability cluster affecting NetWeaver AS ABAP Business Intelligence Consumer (BIC) Document processing. Multiple attack vectors enable unauthorized access to sensitive financial reporting data and potential service disruption in corporate performance management systems.
SAP Note 3611184 — High priority patch deployment recommended

🔸 Medium Priority Vulnerabilities

Directory Traversal in Bank Communication Management

6.9 CVE-2025-42946 FIN-FSCM-BNK Directory Traversal
CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N
Path traversal vulnerability in Financial Supply Chain Management Bank Communication component. Privileged users can bypass directory restrictions to access sensitive financial communication files outside intended boundaries, potentially exposing confidential banking data.
SAP Note 3614804 — Include in next monthly maintenance cycle

Cross-Site Scripting in CRM Business Framework

6.1 CVE-2025-42948 CRM-BF-ML Cross-Site Scripting
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Reflected XSS vulnerability in Customer Relationship Management Business Framework Machine Learning components. Malicious script injection can compromise user sessions and enable phishing attacks targeting CRM system users.
SAP Note 3629871 — Deploy with next security update batch

HTML Injection in SAP GUI Web Interface

6.1 CVE-2025-42945 BC-FES-WGU HTML Injection
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
HTML injection vulnerability in SAP GUI for HTML frontend component allowing insertion of malicious markup content. Attackers can manipulate web interface rendering to conduct social engineering attacks against authenticated users.
SAP Note 3585491 — Update GUI client to latest version

Information Disclosure in GUI HTML Component

6.0 CVE-2025-0059 BC-FES-WGU Information Disclosure
CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
Information leakage vulnerability in GUI for HTML component (originally identified January 2025, updated in August release). Local privileged users can access sensitive system information beyond intended authorization scope.
SAP Note 3503138 — Updated patch available (August 12, 2025)

Authorization Bypass in Enterprise Portal Navigation

5.3 CVE-2025-23194 EP-PIN-OBN Missing Authorization
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Missing authorization validation in Enterprise Portal Object-Based Navigation component (originally March 2025, updated August). Unauthenticated users can bypass access controls to modify portal navigation elements.
SAP Note 3561792 — Updated security fix (August 12, 2025)

Authorization Control Gap in ABAP Platform

4.9 CVE-2025-42949 BC-DWB-UTL-BRR Missing Authorization
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Authorization control deficiency in ABAP Development Workbench Utilities Business Rule Repository. High-privilege users can access confidential system information without proper authorization validation, potentially exposing sensitive configuration data.
SAP Note 3626722 — Include in routine maintenance updates

Information Disclosure in SAP GUI Windows Client

4.5 CVE-2025-42943 BC-FES-GUI Information Disclosure
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
Information leakage vulnerability in SAP GUI for Windows client requiring high-privilege access and user interaction. Sensitive system data may be exposed through improper information handling in the client interface.
SAP Note 3627845 — Update desktop GUI client installation

CRLF Injection in Document Management Service

4.3 CVE-2025-42934 CA-DMS CRLF Injection
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Carriage Return Line Feed (CRLF) injection vulnerability in Document Management Service Supplier Invoice processing component. Authenticated users can inject malicious line breaks to manipulate HTTP headers and response content.
SAP Note 3616863 — Apply during next scheduled update window

Authorization Bypass in NetWeaver Test Suite

4.3 CVE-2025-31331 CA-GTF-TS-GMA Authorization Bypass
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Authorization bypass vulnerability in NetWeaver Test Suite Global Memory Area component (originally identified April 2025, updated August 2025). Low-privilege users can access restricted testing information beyond authorized scope.
SAP Note 3577131 — Updated security patch (August 12, 2025)

🔹 Low Priority Security Updates

Authorization Gap in Cloud Connector

3.5 CVE-2025-42955 BC-MID-SCC Missing Authorization
CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Minor authorization validation deficiency in SAP Cloud Connector middleware component. Local network authenticated users may cause limited service disruption through improper access control validation with minimal impact on system availability.
SAP Note 3611345 — Include in regular maintenance schedule

Reverse Tabnabbing in Fiori Launchpad

3.5 CVE-2025-42941 CA-FLP-FE-COR Reverse Tabnabbing
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N
Reverse tabnabbing vulnerability in Fiori Launchpad Core Frontend component. High-privilege users clicking external links may be susceptible to tab hijacking attacks, potentially enabling phishing campaigns targeting SAP user credentials.
SAP Note 3624943 — Update during next Fiori maintenance cycle

Security Advisory Prepared by RedRays Cybersecurity Team

Based on official SAP Security Notes published August 12, 2025, and supplementary security updates from previous release cycles.

© 2025 RedRays. All recommendations should be tested in development environments before production deployment. Consult with SAP support for environment-specific guidance.

Explore More

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series. 

JOIN