On March 11, 2025, SAP released 21 new Security Notes and 3 updates to previous patches, as part of its monthly Security Patch Day.
This month’s release focuses on High (CVSS 7.7–8.8) and Medium (CVSS 4.1–6.8) severity vulnerabilities with no Critical-severity issues reported.
Notably, one of the security notes (#3576540) is unusual as it doesn’t address a specific vulnerability but instead, it provides best practices for securing Spring Boot Actuator endpoints in BTP environments (CVSS 0.0).
Main Vulnerabilities by Severity
Key highlights include widespread XSS risks, authorization gaps, and updates addressing third-party dependencies like Apache Tomcat and Spring Framework.
High Priority (CVSS 7.7 – 8.8)
- Cross-Site Scripting (XSS): Two High-severity XSS flaws in SAP Commerce (#3569602) and SAP NetWeaver ABAP Class Builder (#3563927), both scoring CVSS 8.8.
- Third-party risks: Apache Tomcat vulnerabilities in SAP Commerce Cloud (#3566851, CVSS 8.6) and Spring Framework path traversal risks (#3562415, CVSS 3.7).
- Authentication bypass: Updated patch for SAP Approuter (#3567974, CVSS 8.1).
Medium Priority (CVSS 4.1 – 6.8)
- Authorization gaps: Missing checks in SAP S/4HANA (Bank Statements, #3565835) and SAP Business Warehouse (#3552144).
- XSS persistence: Recurring issues in SAP NetWeaver AS Java (#3567246) and BusinessObjects BI Platform (#3557469).
- Information leaks: Exposures in SAP Web Dispatcher (#3558132) and Permit to Work (#3475427).
Low Priority (CVSS <4.3)
- Configuration risks: Minor authorization gaps in SAP JIT (#3347991) and SSRF in SAP CRM (#3561861).
- Best practices note: Advisory #3576540 emphasizes securing Spring Boot Actuator endpoints in BTP environments (CVSS 0.0, non-vulnerability).
Key Affected SAP Components
- SAP NetWeaver AS (ABAP/Java): Dominates with 5+ notes (XSS, missing auth checks).
- SAP BusinessObjects BI: Recurring Medium-severity XSS and info leaks.
- SAP Commerce Cloud: High-risk XSS (Swagger UI) and Tomcat vulnerabilities.
- SAP S/4HANA: Authorization gaps in Manage Bank Statements and Fiori apps.
- SAP HANA XS Advanced: Open redirect and third-party library risks.
Notable Trends
- Updates to prior fixes: Notes #3567974 (Approuter) and #3557138 (NetWeaver AS Java) refined earlier fixes.
- Third-party dependencies: Vulnerabilities in Apache Tomcat (Commerce Cloud) and Spring Framework (Commerce/Datahub) highlight supply-chain risks.
- Non-vulnerability advisory: Note #3576540 breaks precedent by focusing on Spring Boot Actuator endpoint best practices, urging proactive security configurations.
The Bottom Line
March’s release underscores persistent risks in Java-based systems, BI platforms, and SAP Commerce, with High-severity XSS and authorization flaws posing systemic threats. While no Critical vulnerabilities emerged.
The Vicxer team recommends organizations to:
- Prioritize patching High-severity notes in Commerce, NetWeaver, and BusinessObjects.
- Review configurations for third-party libraries (Tomcat, Spring) and SAP Fiori apps.
At Vicxer, our SAP security experts streamline end-to-end vulnerability management, from risk assessment to remediation. Our SAP Security platform ensures continuous compliance monitoring and rapid response to emerging threats.
Proactive patching and configuration audits remain critical to mitigating SAP landscape vulnerabilities.