Skip links
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

SAP Security Patch Day – July 2025

On July 8, 2025, SAP released its monthly security updates affecting 27 components. This month includes 5 HotNews notes (CVSS ≥ 9.0) and 3 high-priority notes (7.0 ≤ CVSS < 9.0).

Critical Vulnerabilities (HotNews)

CVE-2025-42967: Code Injection in SAP S/4HANA and SAP SCM (Characteristic Propagation)

CVSS Score: 9.9 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
Component: SCM-APO-PPS
Description: Allows remote attackers with low privileges to execute arbitrary code via the characteristic propagation mechanism.
Priority: HotNews
Released: July 8, 2025
Recommendation: Apply the patch immediately.

CVE-2025-30012: Multiple vulnerabilities in SAP Supplier Relationship Management (Live Auction Cockpit)

CVSS Score: 10.0 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Component: SRM-LA
Description: A series of critical flaws enabling remote code execution and full system compromise.
Priority: HotNews
Released: July 8, 2025
Recommendation: Urgently apply the patch.

CVE-2025-42966: Insecure Deserialization in SAP NetWeaver (XML Data Archiving Service)

CVSS Score: 9.1 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
Component: BC-ILM-DAS
Description: Deserialization flaw allows attackers to execute arbitrary code.
Priority: HotNews
Released: July 8, 2025
Recommendation: Install the fix immediately.

CVE-2025-42964: Insecure Deserialization in SAP NetWeaver Enterprise Portal Administration

CVSS Score: 9.1 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
Component: BC-PIN-PCD
Description: Deserialization vulnerability permits arbitrary code execution with elevated privileges.
Priority: HotNews
Released: July 8, 2025
Recommendation: Apply the patch without delay.

CVE-2025-42980: Insecure Deserialization in SAP NetWeaver Federated Portal Network

CVSS Score: 9.1 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
Component: EP-PIN-FPN
Description: Deserialization flaw enabling remote code execution in the Federated Portal Network.
Priority: HotNews
Released: July 8, 2025
Recommendation: Deploy the update immediately.

High-Priority Vulnerabilities

CVE-2025-42953: Missing Authorization Check in SAP NetWeaver Application Server for ABAP

CVSS Score: 8.1 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H)
Component: BC-CCM-CNF-OPM
Description: Allows low-privileged users to perform critical operations by bypassing authorization checks.
Priority: Correction with high priority
Released: July 8, 2025
Recommendation: Schedule patching in your next maintenance window.

CVE-2024-53677: Insecure File Operations in SAP BusinessObjects BI Platform (CMC)

CVSS Score: 8.0 (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H)
Component: BI-BIP-CMC
Description: File operation flaws could lead to remote code execution.
Priority: Correction with high priority
Released: July 8, 2025
Recommendation: Apply the update immediately.

CVE-2025-42952: Missing Authorization Check in SAP Business Warehouse and Plug-In Basis

CVSS Score: 7.7 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H)
Component: CRM-MW-ADP
Description: Authorization bypass could impact system availability.
Priority: Correction with high priority
Released: July 8, 2025
Recommendation: Patch as soon as possible.

Medium-Priority Vulnerabilities

CVE-2025-43001: Multiple Privilege Escalation Vulnerabilities in SAPCAR

CVSS Score: 6.9 (CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:L)
Component: BC-INS-TLS
Description: Multiple flaws allow privilege escalation in the SAPCAR utility.
Priority: Correction with medium priority
Released: July 8, 2025

CVE-2025-42997: Information Disclosure in SAP Gateway Client

CVSS Score: 6.6 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L)
Component: OPU-GW-V4
Description: Disclosure of sensitive information via the SAP Gateway Client.
Priority: Correction with medium priority
Released: July 8, 2025

CVE-2025-42981: Multiple Vulnerabilities in SAP NetWeaver Application Server ABAP

CVSS Score: 6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Component: BC-FES-ITS
Description: Several issues impacting data confidentiality and handling.
Priority: Correction with medium priority
Released: July 8, 2025

CVE-2025-42962: Cross-Site Scripting (XSS) in SAP Business Warehouse (BEx Web 3.5 animation)

CVSS Score: 6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Component: BW-BEX-ET-WEB
Description: XSS vulnerability in the loading animation of BEx Web.
Priority: Correction with medium priority
Released: July 8, 2025

CVE-2025-42969: Cross-Site Scripting (XSS) in SAP NetWeaver AS ABAP

CVSS Score: 6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Component: BC-MID-AC
Description: XSS flaw allows script execution in ABAP environments.
Priority: Correction with medium priority
Released: July 8, 2025

CVE-2025-42970: Directory Traversal in SAPCAR

CVSS Score: 5.8 (CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:H)
Component: BC-INS-TLS
Description: Traversal bug allows access to files outside the intended directory.
Priority: Correction with medium priority
Released: July 8, 2025

CVE-2025-42979: Insecure Key & Secret Management in SAP GUI for Windows

CVSS Score: 5.6 (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N)
Component: BC-FES-GXT
Description: Weak storage of keys and secrets may lead to credential exposure.
Priority: Correction with medium priority
Released: July 8, 2025

CVE-2025-42973: Cross-Site Scripting (XSS) in SAP Data Services (DQ Report)

CVSS Score: 5.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Component: EIM-DS-SVR
Description: XSS allows injection of scripts into DQ reports.
Priority: Correction with medium priority
Released: July 8, 2025

CVE-2025-42974: Missing Authorization Check in SAP NetWeaver and ABAP Platform (SDCCN)

CVSS Score: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Component: SV-SMG-SDD
Description: Authorization bypass in the SDCCN service.
Priority: Correction with medium priority
Released: July 8, 2025

Low-Priority Vulnerabilities

CVE-2025-42971: Memory Corruption in SAPCAR

CVSS Score: 4.0 (CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:L)
Component: BC-INS-TLS
Description: Memory corruption issue in the SAPCAR utility with limited attack surface.
Priority: Correction with low priority
Released: July 8, 2025

CVE-2025-42978: Insufficient Hostname Verification for Outbound TLS in SAP NetWeaver AS Java

CVSS Score: 3.5 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)
Component: BC-JAS-SEC
Description: Weak hostname validation on outbound TLS connections.
Priority: Correction with low priority
Released: July 8, 2025

Explore More

SAP Security Patch Day – June 2025

On June 10, 2025, SAP released its monthly Security Patch Day updates, addressing 14 new vulnerabilities across various SAP products and components.

SAP Security Training

Discover vulnerabilities through the eyes of an attacker In today’s digital landscape, SAP systems form the backbone of critical business operations for

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.