Enhance Your SAP Security with Vicxer! Discover how to safeguard your SAP environment effectively.

SAP Security Patch Day – May 2025

What you need to know

 

On May 13, 2025, SAP released 16 new Security Notes and 2 updates to previously released patches. This month’s release includes 2 Critical-severity vulnerabilities (CVSS 9.1–10.0), 6 High-severity issues (CVSS 7.7–8.6), 8 Medium-severity vulnerabilities (CVSS 4.3–6.6), and 1 Low-severity update. The focus shifts to authorization bypasses and insecure deserialization risks, with critical impacts on SAP NetWeaver and supply chain components.  

Key Highlights by Severity

Critical Vulnerability (CVSS 9.1- 10.0)

  • Missing Authorization in SAP NetWeaver Visual Composer (#3594142, CVSS 10.0): Allows unauthenticated attackers to upload malicious binaries, risking full system compromise. 
  • Insecure Deserialization in SAP NetWeaver (#3604119, CVSS 9.1): Enables remote code execution via malicious payloads, affecting confidentiality, integrity, and availability. 

High Vulnerability (CVSS 7.7- 8.6)

  •  Code Injection in SAP S/4HANA SCM Master Data Layer (#3600859, CVSS 8.3): Allows authenticated users to replace ABAP programs. 
  • Multiple vulnerabilities in SAP SRM Live Auction Cockpit (#3578900, CVSS 8.6): Includes blind XXE, XSS, and insecure deserialization due to deprecated Java applets. 
  • Information Disclosure in SAP BusinessObjects BI Platform (#3586013, CVSS 7.9): Exposes restricted data via Promotion Management Wizard. 
  • Missing Authorization in SAP Landscape Transformation (#3591978, CVSS 7.7): Allows access to restricted functionalities. 

Medium Vulnerability (CVSS 4.3- 6.6)

  • Cross-Site Scripting (XSS) in SAP SRM MDM Catalog (#3588455, CVSS 6.1): Requires user interaction to execute malicious scripts. 
  • Information Disclosure in SAP GUI for Windows (#3574520, CVSS 4.3): Exposes credentials via insecure obfuscation. 

Low Priority (CVSS ≤5.8)

  • Update to Missing Authorization in SAP PDCE (#3483344, CVSS 7.7) from July 2024 Patch Day. 

General Trends across the Notes

  • Authorization Gaps: Multiple notes (e.g., in SRM, SPM, HCM) address missing or insufficient authorization checks, which could enable privilege escalation or unauthorized data access. 
  • Information Disclosure: Several vulnerabilities allow attackers to access sensitive information, including internal system details and user credentials. 
  • Cross-Site Scripting (XSS): Noted in SRM and Data Services Management Console, potentially enabling session hijacking or data theft. 
  • Code Injection and Misconfiguration: Issues in S/4HANA Cloud and Digital Manufacturing could allow attackers to manipulate business logic or expose data due to insecure configurations. 
  • Patch Supersession: Several notes this month update or supersede previous advisories, particularly for the Visual Composer component, reflecting the evolving threat landscape understanding of the threat and the need for cumulative remediation. 

Main Affected SAP Components

The Botton Line

May’s release underscores critical risks in SAP NetWeaver and supply chain modules, demanding immediate action: 

  • Prioritize Critical patches for Visual Composer (#3594142, #3604119) to prevent remote code execution. 
  • Migrate from deprecated components like SRM’s Java applets to mitigate XXE and XSS risks. 
  • Audit authorization checks in S/4HANA, BI Platform, and Landscape Transformation to close privilege escalation gaps. 
  • Monitor SAP GUI and Gateway Client configurations to address medium-severity information leaks. 

This month’s patches highlight the persistent challenge of securing legacy functionalities and enforcing strict input validation. Organizations must balance prompt patching with architectural modernization to reduce attack surfaces. 


At Vicxer, our SAP security experts streamline vulnerability management with real-time monitoring and tailored remediation strategies. Safeguard your landscape against evolving threats-contact us today to fortify your SAP environment.

Table of Contents

Discover more from Vicxer Inc | SAP Security

Subscribe now to keep reading and get access to the full archive.

Continue reading