On July 8, 2025, SAP released its monthly security updates affecting 27 components. This month includes 5 HotNews notes (CVSS ≥ 9.0) and 3 high-priority notes (7.0 ≤ CVSS < 9.0).
Critical Vulnerabilities (HotNews)
CVE-2025-42967: Code Injection in SAP S/4HANA and SAP SCM (Characteristic Propagation)
CVSS Score: 9.9 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)Component: SCM-APO-PPS
Description: Allows remote attackers with low privileges to execute arbitrary code via the characteristic propagation mechanism.
Priority: HotNews
Released: July 8, 2025
Recommendation: Apply the patch immediately.
CVE-2025-30012: Multiple vulnerabilities in SAP Supplier Relationship Management (Live Auction Cockpit)
CVSS Score: 10.0 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)Component: SRM-LA
Description: A series of critical flaws enabling remote code execution and full system compromise.
Priority: HotNews
Released: July 8, 2025
Recommendation: Urgently apply the patch.
CVE-2025-42966: Insecure Deserialization in SAP NetWeaver (XML Data Archiving Service)
CVSS Score: 9.1 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)Component: BC-ILM-DAS
Description: Deserialization flaw allows attackers to execute arbitrary code.
Priority: HotNews
Released: July 8, 2025
Recommendation: Install the fix immediately.
CVE-2025-42964: Insecure Deserialization in SAP NetWeaver Enterprise Portal Administration
CVSS Score: 9.1 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)Component: BC-PIN-PCD
Description: Deserialization vulnerability permits arbitrary code execution with elevated privileges.
Priority: HotNews
Released: July 8, 2025
Recommendation: Apply the patch without delay.
CVE-2025-42980: Insecure Deserialization in SAP NetWeaver Federated Portal Network
CVSS Score: 9.1 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)Component: EP-PIN-FPN
Description: Deserialization flaw enabling remote code execution in the Federated Portal Network.
Priority: HotNews
Released: July 8, 2025
Recommendation: Deploy the update immediately.
High-Priority Vulnerabilities
CVE-2025-42953: Missing Authorization Check in SAP NetWeaver Application Server for ABAP
CVSS Score: 8.1 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H)Component: BC-CCM-CNF-OPM
Description: Allows low-privileged users to perform critical operations by bypassing authorization checks.
Priority: Correction with high priority
Released: July 8, 2025
Recommendation: Schedule patching in your next maintenance window.
CVE-2024-53677: Insecure File Operations in SAP BusinessObjects BI Platform (CMC)
CVSS Score: 8.0 (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H)Component: BI-BIP-CMC
Description: File operation flaws could lead to remote code execution.
Priority: Correction with high priority
Released: July 8, 2025
Recommendation: Apply the update immediately.
CVE-2025-42952: Missing Authorization Check in SAP Business Warehouse and Plug-In Basis
CVSS Score: 7.7 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H)Component: CRM-MW-ADP
Description: Authorization bypass could impact system availability.
Priority: Correction with high priority
Released: July 8, 2025
Recommendation: Patch as soon as possible.
Medium-Priority Vulnerabilities
CVE-2025-43001: Multiple Privilege Escalation Vulnerabilities in SAPCAR
CVSS Score: 6.9 (CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:L)Component: BC-INS-TLS
Description: Multiple flaws allow privilege escalation in the SAPCAR utility.
Priority: Correction with medium priority
Released: July 8, 2025
CVE-2025-42997: Information Disclosure in SAP Gateway Client
CVSS Score: 6.6 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L)Component: OPU-GW-V4
Description: Disclosure of sensitive information via the SAP Gateway Client.
Priority: Correction with medium priority
Released: July 8, 2025
CVE-2025-42981: Multiple Vulnerabilities in SAP NetWeaver Application Server ABAP
CVSS Score: 6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)Component: BC-FES-ITS
Description: Several issues impacting data confidentiality and handling.
Priority: Correction with medium priority
Released: July 8, 2025
CVE-2025-42962: Cross-Site Scripting (XSS) in SAP Business Warehouse (BEx Web 3.5 animation)
CVSS Score: 6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)Component: BW-BEX-ET-WEB
Description: XSS vulnerability in the loading animation of BEx Web.
Priority: Correction with medium priority
Released: July 8, 2025
CVE-2025-42969: Cross-Site Scripting (XSS) in SAP NetWeaver AS ABAP
CVSS Score: 6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)Component: BC-MID-AC
Description: XSS flaw allows script execution in ABAP environments.
Priority: Correction with medium priority
Released: July 8, 2025
CVE-2025-42970: Directory Traversal in SAPCAR
CVSS Score: 5.8 (CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:H)Component: BC-INS-TLS
Description: Traversal bug allows access to files outside the intended directory.
Priority: Correction with medium priority
Released: July 8, 2025
CVE-2025-42979: Insecure Key & Secret Management in SAP GUI for Windows
CVSS Score: 5.6 (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N)Component: BC-FES-GXT
Description: Weak storage of keys and secrets may lead to credential exposure.
Priority: Correction with medium priority
Released: July 8, 2025
CVE-2025-42973: Cross-Site Scripting (XSS) in SAP Data Services (DQ Report)
CVSS Score: 5.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)Component: EIM-DS-SVR
Description: XSS allows injection of scripts into DQ reports.
Priority: Correction with medium priority
Released: July 8, 2025
CVE-2025-42974: Missing Authorization Check in SAP NetWeaver and ABAP Platform (SDCCN)
CVSS Score: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)Component: SV-SMG-SDD
Description: Authorization bypass in the SDCCN service.
Priority: Correction with medium priority
Released: July 8, 2025
Low-Priority Vulnerabilities
CVE-2025-42971: Memory Corruption in SAPCAR
CVSS Score: 4.0 (CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L)Component: BC-INS-TLS
Description: Memory corruption issue in the SAPCAR utility with limited attack surface.
Priority: Correction with low priority
Released: July 8, 2025
CVE-2025-42978: Insufficient Hostname Verification for Outbound TLS in SAP NetWeaver AS Java
CVSS Score: 3.5 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)Component: BC-JAS-SEC
Description: Weak hostname validation on outbound TLS connections.
Priority: Correction with low priority
Released: July 8, 2025