On May 13, 2025, SAP released its monthly Security Patch Day updates, addressing 18 new vulnerabilities across various SAP products and components. This month's release includes 2 HotNews notes (CVSS score ≥ 9.0) and 5 High Priority notes (CVSS score ≥ 7.0), making it a significant update cycle for SAP administrators.
Critical Vulnerabilities (HotNews)
CVE-2025-31324: Missing Authorization check in SAP NetWeaver (Visual Composer development server)
CVSS Score: 10.0 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Affected Component: EP-VC-INF
Description: This vulnerability poses the highest possible risk with a perfect CVSS score of 10.0, indicating that it requires no authentication, is network accessible, and could result in complete system compromise with high impacts to confidentiality, integrity, and availability.
Priority: HotNews
Released: May 13, 2025 (First released: April 24, 2025)
SAP Note: 3594142
Recommendation: Apply patch immediately as this vulnerability can be exploited remotely with minimal effort by unauthenticated users.
CVE-2025-42999: Insecure Deserialization in SAP NetWeaver (Visual Composer development server)
CVSS Score: 9.1 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
Affected Component: EP-VC-INF
Description: This vulnerability allows an authenticated attacker to potentially gain complete control of the affected system through insecure deserialization, affecting confidentiality, integrity, and availability.
Priority: HotNews
Released: May 14, 2025 (First released: May 13, 2025)
SAP Note: 3604119
Recommendation: Immediate patching is required as this vulnerability allows authenticated attackers to compromise system security via insecure deserialization.
High-Priority Vulnerabilities
CVE-2025-30018: Multiple vulnerabilities in SAP Supplier Relationship Management
CVSS Score: 8.6 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)
Affected Component: SRM-LA (Live Auction Cockpit)
Description: These vulnerabilities allow unauthenticated attackers to gain unauthorized access to sensitive information with high impact to confidentiality.
Priority: Correction with high priority
SAP Note: 3578900
Recommendation: Apply the security patch promptly to prevent unauthorized access to sensitive information.
CVE-2025-43010: Code injection vulnerability in SAP S/4HANA Cloud Private Edition or On Premise
CVSS Score: 8.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H)
Affected Component: SCM-BAS-MDL (SCM Master Data Layer)
Description: This vulnerability enables authenticated attackers to inject malicious code, potentially affecting system integrity and availability.
Priority: Correction with high priority
SAP Note: 3600859
Recommendation: Implement the provided patch to prevent code injection attacks that could compromise system security.
CVE-2025-43011: Missing Authorization Check in SAP Landscape Transformation
CVSS Score: 7.7 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)
Affected Component: CA-LT-PCL (PCL Basis)
Description: This vulnerability allows authenticated attackers to access sensitive information due to missing authorization checks.
Priority: Correction with high priority
SAP Note: 3591978
Recommendation: Apply the security update to implement proper authorization controls and prevent unauthorized access.
CVE-2024-39592: Missing Authorization check in SAP PDCE
CVSS Score: 7.7 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)
Affected Component: FIN-BA
Description: Similar to the previous vulnerability, this allows authenticated attackers to access sensitive information due to missing authorization checks.
Priority: Correction with high priority
Released: May 13, 2025 (First released: July 9, 2024)
SAP Note: 3483344
Recommendation: Update affected systems promptly to prevent unauthorized access to sensitive information.
CVE-2025-43000: Information Disclosure Vulnerability in SAP Business Objects Business Intelligence Platform
CVSS Score: 7.9 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L)
Affected Component: BI-BIP-LCM (PMW)
Description: This locally exploitable vulnerability can lead to significant information disclosure with potential impacts on integrity.
Priority: Correction with high priority
SAP Note: 3586013
Recommendation: Apply the security patch to prevent potential information disclosure in Business Intelligence platforms.
Medium-Priority Vulnerabilities
CVE-2025-43006: Cross-Site Scripting (XSS) vulnerability in SAP Supplier Relationship Management
CVSS Score: 6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Affected Component: SRM-CAT-MDM (Master Data Management Catalog)
Description: A cross-site scripting vulnerability that could allow attackers to inject malicious scripts, potentially leading to session hijacking or credential theft.
Priority: Correction with medium priority
SAP Note: 3588455
CVE-2025-26662: Cross-Site Scripting (XSS) vulnerability in the SAP Data Services Management Console
CVSS Score: 4.4 (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N)
Affected Component: EIM-DS-SVR
Description: An XSS vulnerability that requires user interaction and has complex attack vectors to exploit.
Priority: Correction with medium priority
SAP Note: 3558755
CVE-2025-43008: Missing Authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal
CVSS Score: 5.8 (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N)
Affected Component: PY-PT
Description: A missing authorization check that could allow authenticated users with high privileges to access sensitive data.
Priority: Correction with medium priority
SAP Note: 3585992
CVE-2025-43005: Information Disclosure vulnerability in SAP GUI for Windows
CVSS Score: 4.3 (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)
Affected Component: BC-FES-GXT
Description: An information disclosure vulnerability that requires local access but no authentication to exploit.
Priority: Correction with medium priority
SAP Note: 3574520
CVE-2025-42997: Information Disclosure vulnerability in SAP Gateway Client
CVSS Score: 6.6 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L)
Affected Component: OPU-GW-V4
Description: An information disclosure vulnerability that requires high privileges but could result in some information disclosure and system impact.
Priority: Correction with medium priority
SAP Note: 3577300
CVE-2025-43004: Security Misconfiguration Vulnerability in SAP Digital Manufacturing
CVSS Score: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Component: MFG-DM (Production Operator Dashboard)
Description: A security misconfiguration vulnerability that could allow unauthenticated attackers to access limited sensitive information.
Priority: Correction with medium priority
SAP Note: 3571096
CVE-2025-43003: Information Disclosure vulnerability in SAP S/4HANA (Private Cloud & On-Premise)
CVSS Score: 6.4 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L)
Affected Component: CRM-MD-BP
Description: An information disclosure vulnerability that requires complex attack vectors but could expose highly confidential information.
Priority: Correction with medium priority
SAP Note: 3596033
CVE-2025-43007: Missing Authorization check in SAP Service Parts Management (SPM)
CVSS Score: 6.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
Affected Component: LO-SPM-X
Description: A missing authorization check that could allow authenticated users with low privileges to access and modify some data.
Priority: Correction with medium priority
SAP Note: 2719724
CVE-2025-43009: Missing Authorization check in SAP Service Parts Management (SPM)
CVSS Score: 6.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
Affected Component: LO-SPM-OUT
Description: Similar to the previous vulnerability, this missing authorization check affects a different component of SPM.
Priority: Correction with medium priority
SAP Note: 2491817
CVE-2025-43002: Missing Authorization check in SAP S4/HANA (OData meta-data property)
CVSS Score: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Affected Component: MM-PUR-SVC-SES
Description: A missing authorization check that could allow authenticated users with low privileges to access limited sensitive information.
Priority: Correction with medium priority
SAP Note: 3227940
CVE-2025-31329: Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform
CVSS Score: 6.2 (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N)
Affected Component: BC-MID-RFC
Description: An information disclosure vulnerability that requires high privileges and user interaction but could expose highly confidential information.
Priority: Correction with medium priority
SAP Note: 3577287
Understanding CVSS Scoring
The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. SAP uses CVSS to communicate the severity of vulnerabilities fixed in SAP security notes.
CVSS scores range from 0 to 10, with the following severity ratings:
- Critical (9.0-10.0): Also called "HotNews" in SAP terminology
- High (7.0-8.9): Labeled as "Correction with high priority"
- Medium (4.0-6.9): Labeled as "Correction with medium priority"
- Low (0.1-3.9): Labeled as "Correction with low priority"
Understanding the CVSS vector string (e.g., CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) helps assess vulnerability characteristics:
- AV (Attack Vector): Network (N), Adjacent (A), Local (L), Physical (P)
- AC (Attack Complexity): Low (L) or High (H)
- PR (Privileges Required): None (N), Low (L), High (H)
- UI (User Interaction): None (N) or Required (R)
- S (Scope): Unchanged (U) or Changed (C)
- C/I/A (Confidentiality/Integrity/Availability Impact): None (N), Low (L), High (H)
This analysis is based on the official SAP Security Notes released on May 14, 2025. For detailed technical information and implementation guidance, please refer to the SAP Security Notes on the SAP Support Portal.
