What you need to know
On August 12, 2025, SAP released 15 new Security Notes as part of its monthly Security Patch Day, along with 4 updates to previously released notes. This month’s release maintains the pattern of substantial security activity, featuring 3 Critical-severity vulnerabilities with CVSS scores of 9.9, 2 additional High-severity issues (CVSS 8.1–8.8), 12 Medium-severity problems (CVSS 4.1–6.9), and 2 Low-severity vulnerabilities (CVSS 3.5). The emphasis heavily centers on code injection attacks and authorization bypasses, with several notes addressing flaws that could lead to full system compromise.
Key Highlights by Severity
Critical Priority (CVSS 9.9)
- Three separate code injection vulnerabilities target SAP S/4HANA (Private Cloud or On-Premise) and SAP Landscape Transformation (Analysis Platform). These flaws could enable authenticated users to inject arbitrary ABAP code via RFC-exposed function modules, bypassing authorization checks and potentially compromising system confidentiality, integrity, and availability.
High Priority (CVSS 8.8)
- A broken authorization flaw in SAP Business One (SLD) could allow authenticated users to gain administrator privileges through API exploitation, with high impacts across confidentiality, integrity, and availability.
High Priority (CVSS 8.1)
- Multiple vulnerabilities in SAP NetWeaver Application Server ABAP (BIC Document), including memory corruption and reflected XSS, could permit authenticated users to crash components or access sensitive information.
Medium Priority (CVSS 4.1–6.9)
- Various issues including directory traversal in SAP S/4HANA (Bank Communication Management), HTML injection and XSS in NetWeaver components, missing authorization checks across ABAP Platform versions, and information disclosure in SAP GUI for Windows.
Low Priority (CVSS 3.5)
- Minor flaws such as missing authorization in SAP Cloud Connector and reverse tabnabbing in SAP Fiori Launchpad, primarily affecting availability with limited scope.
Key Affected Components
SAP S/4HANA: 5 security notes targeting core functions including code injection, directory traversal, and CRLF injection, highlighting persistent risks in enterprise resource planning systems.
SAP NetWeaver (Multiple Components): 8 security notes affecting Application Server ABAP, Enterprise Portal, and ABAP Platform, with focus on XSS, missing authorizations, and information disclosure.
SAP Business One and Landscape Transformation: 2 security notes addressing critical code injection and broken authorization issues in business management and data transformation tools.
Other Components: Notes spanning SAP GUI for Windows, Cloud Connector, and Fiori Launchpad, emphasizing client-side and integration vulnerabilities.
Notable Trends
1. Code Injection Dominance:
Roughly 20% of critical vulnerabilities involve code injection risks, highlighting potential exploitation paths in ABAP-based systems for remote code execution.
2.High Severity Persistence:
The three CVSS 9.9 vulnerabilities represent a continued elevation in threat levels, similar to previous months, with low attack complexity making them highly exploitable.
3. Update Pattern Concentration:
Four(4) updates to previous notes from April and January releases indicate ongoing refinements to fixes for code injection and information disclosure issues.
4. Authorization Control Issues:
Over 30% of vulnerabilities stem from missing or broken authorizations, pointing to systemic challenges in SAP’s access management across platforms.
5. Multi-Component Impact:
Vulnerabilities affect a broad range of systems from core ERP to integration tools, requiring comprehensive patching strategies.
6. Client-Side Exposure:
Several notes address GUI and connector flaws, underscoring risks in end-user interfaces and cloud integrations.
Reflections on the Current Threat Landscape
Looking at August’s SAP Security Patch Day, it’s clear that while the volume of notes is slightly lower than July’s escalation, the severity remains alarmingly high with multiple paths to system compromise. The recurrence of code injection flaws in S/4HANA and related platforms feels like a persistent warning sign. These vectors offer straightforward routes to control if exploited.
A particulary notable risk is the combination of server-side weaknesses with client-side exposures. This convergence creates layered attack surfaces that cannot be addressed through patching alone; instead, they call for a comprehensive reassessment of security strategies. It’s a reminder that in the world of enterprise software, security isn’t a one-time fix. It is an ongoing battle where staying vigilant means protecting not just data, but the very foundation of business operations.
The botton line
August’s release sustains the high-threat environment from recent months, demanding prompt organizational response:
- Emergency Patching Required for the three CVSS 9.9 code injection vulnerabilities to prevent full system takeover through authenticated exploitation.
- Immediate Action Needed for all 5 High-severity vulnerabilities, particularly the Business One authorization flaw and NetWeaver memory corruption issues affecting system stability.
- Enhanced Monitoring Implementation for ABAP-based systems and NetWeaver components, given the prevalence of injection and XSS risks.
- Authorization Architecture Review across SAP landscapes to mitigate the widespread missing check vulnerabilities.
- Client-Side Security Assessment for GUI and Fiori components to address emerging disclosure and tabnabbing risks.
- Incident Response Preparation including regular backups and access logging to handle potential exploits of critical flaws.
This month’s patches reflect a sustained high-threat level with potential exploitation of core SAP infrastructure through injection and authorization weaknesses. The three critical code injection vulnerabilities, combined with updates to prior notes, suggest evolving techniques that could be used against enterprise systems.
Organizations must prioritize immediate patching for critical issues while implementing layered security controls to reduce exposure. The focus on ABAP and S/4HANA components indicates that traditional defenses may be insufficient against modern threats.
At Vicxer, our SAP security experts streamline vulnerability management with real-time monitoring and tailored remediation strategies. Safeguard your landscape against evolving threats. Contact us today to fortify your SAP environment.
You must be logged in to post a comment.