Enhance Your SAP Security with Vicxer! Discover how to safeguard your SAP environment effectively.

Talk with an Expert

Table of Contents

SAP Security Patch Day - February 2025

  • On February 11, 2025, SAP released 19 new Security Notes and 2 updates to previous patches, as part of its monthly Security Patch Day.
  • This release addresses vulnerabilities across multiple SAP components, with
    6 High-priority notes (CVSS 7.1–8.8) and 13 Medium-priority notes (CVSS 4.3–6.8).
  • Unlike January’s release, no Critical-severity vulnerabilities were disclosed this month.

This month's Notes Overview

High Priority (CVSS 7.1 – 8.8) 

  • Authentication bypasses: Notes #3567974 (SAP Approuter) and #3567551 (SRM path traversal) allow attackers to bypass security controls via authorization code injection and unauthenticated file downloads.
  • Impersonation risks: Note #3525794 (BusinessObjects BI) enablesadmin-level impersonation via passphrase extraction.
  • Cross-component exposure: Vulnerabilities affect Java-based systems (3417627 in NetWeaver AS Java), HANA XS advanced (3563929), and SAPGUI (#3562336).

Medium Priority (CVSS 4.3 – 6.8)

  • Authorization gaps: Multiple notes (3546470, 3553753) highlight missing checks in ABAP Platform and NetWeaver.
  • Client-side risks: Insecure cookie configurations (3555364 in Commerce) and clickjacking defenses (3559510) dominate.
  • Information leaks: Notes #3550027 (NetWeaver Java) and #3561264(ABAP Server) expose metadata or user data.

Main SAP Affected Components

  • SAP BusinessObjects BI: Central Management Console and BI Launchpad vulnerabilities (2 High Notes and 1 Medium Severity Note).
  • SAP NetWeaver AS Java: Multiple XSS and authorization flaws (4 Notes)
  • SAP Commerce: Cookie security and clickjacking issues (2 Medium Severity Notes)
  • SAP HANA XS Advanced: Open redirect vulnerability (1 High Note)
  • SAP Supplier Relationship Management (SRM): Unauthenticated file download (1 High Note).

The Bottom Line

February’s release underscores persistent risks in Java-based systems
and BI platforms, with High-severity flaws enabling impersonation, data theft, and system manipulation. While noncritical vulnerabilities were disclosed, the volume of High/Medium issues—particularly in widely used components like NetWeaver and BusinessObjects—demands prioritization.


Organizations should:

  • Patch High Severity Notes First.
  • Review SAP Commerce cookie configurations to mitigate CSRF risks

At Vicxer, our team of SAP security experts provides end-to-end vulnerability management, from risk assessment to remediation. Vicxer’s SAP Security Platform ensures continuous monitoring and compliance for SAP ecosystems, helping you stay ahead of evolving threats. 

Remember: Proactive and periodic patching remains essential to secure SAP environments against emerging attack vectors.

CONTACT US

Stay ahead of SAP vulnerabilities with Vicxer’s proactive defense solutions. 
Click Here

Discover more from Vicxer Inc | SAP Security

Subscribe now to keep reading and get access to the full archive.

Continue reading