What you need to know:
On July 8, 2025, SAP released 27 new Security Notes as part of its monthly Security Patch Day, along with 4 updates to previously released notes. This month’s release represents a significant escalation in both volume and severity, featuring 1 Critical-severity vulnerability with the maximum CVSS score of 10.0, 5 additional Critical-severity issues (CVSS 9.1–9.9), 3 High-severity vulnerabilities (CVSS 7.6–8.1), 13 Medium-severity issues (CVSS 4.0–6.9), and 2 Low-severity problems (CVSS 2.7–3.5). The focus heavily emphasizes insecure deserialization attacks and missing authorization checks, with several notes addressing authentication bypass scenarios that could lead to complete system compromise.
Key Highlights by Severity
Critical Priority (CVSS 10.0):
- The most severe vulnerability affects SAP Supplier Relationship Management (Live Auction Cockpit), encompassing five distinct security flaws including insecure deserialization, blind XXE, XSS, open redirect, and information disclosure. The lead vulnerability enables unauthenticated attackers to execute arbitrary OS commands as SAP Administrator, representing the highest possible threat level.
Critical Priority (CVSS 9.9):
- A code injection vulnerability in SAP S/4HANA and SAP SCM Characteristic Propagation allows authenticated users to gain full system control through malicious code execution, affecting multiple core business systems across various versions.
Critical Priority (CVSS 9.1):
- Four separate insecure deserialization vulnerabilities target SAP NetWeaver Enterprise Portal components, XML Data Archiving Service, and Java Log Viewer applications. These attacks enable privileged users to upload malicious content leading to complete system compromise with high impact on confidentiality, integrity, and availability.
High Priority (CVSS 8.1):
- Missing authentication checks in SAP NetWeaver systems, particularly affecting environments where previous security notes have been implemented, enabling replay attacks and privilege escalation.
- Authorization bypass vulnerabilities in SAP NetWeaver Application Server for ABAP that could completely compromise system integrity and availability.
High Priority (CVSS 8.0-7.7):
- File operation vulnerabilities in SAP Business Objects BI Platform involving outdated Apache Struts components.
- Missing authorization checks in SAP Business Warehouse and Plug-In Basis that could render systems unusable through database manipulation.
Medium Priority (CVSS 4.0-6.9):
- Multiple Cross-Site Scripting (XSS) vulnerabilities across SAP NetWeaver ABAP, Business Warehouse, and Data Services components.
- Directory traversal issues in SAPCAR archives enabling file system manipulation.
- Open redirect vulnerabilities in BusinessObjects workbenches.
- Various missing authorization checks across different SAP modules affecting data access and system operations.
Key Highlights by Severity
SAP NetWeaver (Core Platform):
Remains the primary target, with 8 security notes affecting Application Server ABAP, Java stack, Enterprise Portal, XML Data Archiving, and related components. Issues include critical deserialization vulnerabilities, authorization bypasses, and misconfigured access controls. Affected subsystems also span SAP Gateway (RFC/OData exposure), SAPCAR (archive extraction), and embedded NetWeaver-based SAP BW components.
- SAP Business Warehouse:
Five security notes cover vulnerabilities in BEx tools, middleware, and the Common Configuration Analysis Workbench (CCAW). Findings emphasize cross-site scripting (XSS), insufficient input validation, and weak authorization enforcement across analytical components.
- SAPCAR (Archive Tool):
Three security notes address privilege escalation, directory traversal, and memory corruption vulnerabilities in SAPCAR, a critical utility used for software deployment and transport unpacking.
- SAP Gateway and Related Services:
Two notes resolve issues in SAP Gateway and Enterprise Event services, including improperly secured RFC destinations and exposed OData/event endpoints lacking adequate access control.
SAP S/4HANA:
Three security notes impact core business functions, including a critical issue in Characteristic Propagation and additional flaws in Enterprise Event Enablement. These highlight risks in modern, event-driven S/4HANA landscapes, especially where integration and replication services are exposed.
SAP BusinessObjects BI Platform:
Four notes affect the Central Management Console, Web Intelligence, and related services. Key risks include file path traversal and injection vulnerabilities, potentially enabling unauthorized file access or remote command execution.
The botton line:
July’s release represents a critical escalation in SAP security threats, demanding immediate organizational response:
- Emergency Patching Required for the CVSS 10.0 SRM Live Auction vulnerability to prevent complete system compromise through unauthenticated attacks.
- Immediate Action Needed for all 6 Critical-severity vulnerabilities, particularly the S/4HANA code injection and NetWeaver deserialization flaws affecting core business operations.
- Enhanced Monitoring Implementation for Java-based components and Enterprise Portal systems, given the concentration of deserialization attacks targeting these platforms.
- Authorization Implementation Review across all SAP landscapes to address the missing authorization checks that were identified in multiple product lines during this patch cycle.
- Dependency Management Assessment to identify and remediate outdated third-party libraries and framework components that continue to present security risks in production environments.
- Incident Response Preparation for potential exploitation of the maximum-severity vulnerability, including backup verification and system isolation procedures.
Organizations must prioritize immediate patching for critical vulnerabilities while implementing enhanced monitoring and defense-in-depth strategies to minimize exposure. The prevalence of authorization bypass issues highlights the need for comprehensive security assessments beyond traditional perimeter-based approaches.
At Vicxer, our SAP security experts streamline vulnerability management with real-time monitoring and tailored remediation strategies. Safeguard your landscape against evolving threats—contact us today to fortify your SAP environment.
You must be logged in to post a comment.