On January 14, 2025, SAP released its monthly Security Patch Day updates, addressing several vulnerabilities across various products, including SAP NetWeaver Application Server, SAP GUI, SAP BusinessObjects Business Intelligence Platform, and more. Below, we provide an overview of the most critical vulnerabilities, their risk levels, and recommended actions to safeguard your SAP landscape.
Critical and High-Priority Vulnerabilities
CVE-2025-0070 Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform
- CVSS Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
- Affected Component: SAP NetWeaver ABAP Server and ABAP Platform
- Description: A critical vulnerability due to improper authentication mechanisms that could allow an attacker with low privileges to gain full access to the system. Exploitation may lead to a complete compromise of confidentiality, integrity, and availability of the system.
- Priority: HotNews
Recommendation: This vulnerability requires immediate attention. Since it can be exploited remotely (AV:N) without user interaction (UI:N) and has a high impact on the system, it is imperative to apply the provided patches as soon as possible.
CVE-2025-0066 Information Disclosure Vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework)
- CVSS Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
- Affected Component: Internet Communication Framework in SAP NetWeaver AS ABAP
- Description: An information disclosure vulnerability that allows an attacker with low privileges to access and potentially compromise sensitive data and system integrity over the network.
- Priority: HotNews
Recommendation: Given the criticality and ease of exploitation, promptly implement the recommended security notes to protect your systems from potential breaches.
CVE-2025-0063 SQL Injection Vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform
- CVSS Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
- Affected Component: SAP NetWeaver AS for ABAP and ABAP Platform
- Description: A high-severity SQL injection vulnerability that enables an attacker with low privileges to manipulate database queries. Successful exploitation could lead to unauthorized data access, modification, or denial of service.
- Priority: Correction with high priority
Recommendation: Apply the security patches promptly to prevent attackers from exploiting this vulnerability to compromise your database integrity and confidentiality.
CVE-2025-0061 Multiple Vulnerabilities in SAP BusinessObjects Business Intelligence Platform
- CVSS Score: 8.7 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N)
- Affected Component: SAP BusinessObjects Business Intelligence Platform
- Description: Multiple vulnerabilities affecting the platform could allow unauthenticated attackers to compromise system confidentiality and integrity, despite the high attack complexity.
- Priority: Correction with high priority
Recommendation: Despite requiring a more complex attack (AC:H), the potential impact is severe. It's crucial to implement the patches to safeguard your BI platform from possible exploitation.
CVE-2025-0069 DLL Hijacking Vulnerability in SAPSetup
- CVSS Score: 7.8 (AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)
- Affected Component: SAPSetup
- Description: A DLL hijacking vulnerability that allows a local attacker with low privileges to execute arbitrary code. Successful exploitation can lead to a complete takeover of the affected system.
- Priority: Correction with high priority
Recommendation: Even though exploitation requires local access and has a high attack complexity, the significant impact on confidentiality, integrity, and availability necessitates timely patching.
Medium-Priority Vulnerabilities
CVE-2025-0058 Information Disclosure Vulnerability in SAP Business Workflow and SAP Flexible Workflow
- CVSS Score: 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
- Affected Component: SAP Business Workflow and SAP Flexible Workflow
- Description: An information disclosure issue allowing attackers with low privileges to access confidential data over the network.
- Priority: Correction with medium priority
Recommendation: Address this vulnerability to prevent unauthorized access to sensitive workflow information.
CVE-2025-0067 Missing Authorization Check in SAP NetWeaver Application Server Java
- CVSS Score: 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
- Affected Component: SAP NetWeaver Application Server Java
- Description: A missing authorization check that could allow an attacker with low privileges to perform unauthorized actions, potentially compromising system confidentiality and integrity.
- Priority: Correction with medium priority
Recommendation: Implement the security updates to enforce proper authorization checks and protect against privilege escalation.
CVE-2025-0056 Information Disclosure Vulnerability in SAP GUI for Java
- CVSS Score: 6.0 (AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N)
- Affected Component: SAP GUI for Java
- Description: A vulnerability that may allow high-privileged local attackers to access sensitive information due to improper handling of system data.
- Priority: Correction with medium priority
Recommendation: Update SAP GUI for Java to prevent potential exposure of confidential information on user workstations.
CVE-2025-0055 Information Disclosure Vulnerability in SAP GUI for Windows
- CVSS Score: 6.0 (AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N)
- Affected Component: SAP GUI for Windows
- Description: Similar to the SAP GUI for Java issue, this vulnerability could allow local attackers with high privileges to access sensitive system information.
- Priority: Correction with medium priority
Recommendation: Apply the necessary updates to SAP GUI for Windows to safeguard against unauthorized information disclosure.
CVE-2025-0059 Information Disclosure Vulnerability in SAP NetWeaver Application Server ABAP (Applications Based on SAP GUI for HTML)
- CVSS Score: 6.0 (AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N)
- Affected Component: SAP NetWeaver AS ABAP (SAP GUI for HTML Applications)
- Description: A vulnerability that may permit high-privileged local attackers to access sensitive data within applications based on SAP GUI for HTML.
- Priority: Correction with medium priority
Recommendation: Ensure that your systems are updated to prevent potential information leaks through SAP GUI for HTML applications.
CVE-2025-0053 Information Disclosure Vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform
- CVSS Score: 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
- Affected Component: SAP NetWeaver AS for ABAP and ABAP Platform
- Description: An information disclosure issue that allows unauthenticated attackers to access limited sensitive information over the network.
- Priority: Correction with medium priority
Recommendation: Although the impact is lower, it's advisable to apply the patch to prevent any unauthorized data access.
CVE-2025-0068 Missing Authorization Check in Remote Function Call (RFC) in SAP NetWeaver Application Server ABAP
- CVSS Score: 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
- Affected Component: SAP NetWeaver Application Server ABAP
- Description: Due to missing authorization checks in RFC, an attacker with low privileges could access restricted functions or data.
- Priority: Correction with medium priority
Recommendation: Implement the patches to ensure proper authorization checks are in place for RFC calls.
CVE-2025-0057 Cross-Site Scripting Vulnerability in SAP NetWeaver AS JAVA (User Admin Application)
- CVSS Score: 4.8 (AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N)
- Affected Component: SAP NetWeaver AS JAVA (User Admin Application)
- Description: An XSS vulnerability that can be exploited by attackers with high privileges to inject malicious scripts, potentially leading to session hijacking or token theft.
- Priority: Correction with medium priority
Recommendation: Apply the security update to prevent potential exploitation through malicious script injection.
