SAP Security Patch Day - April 2025
Each month, SAP unveil critical updates known as “SAP Security Notes”.
On April 8, 2025, SAP released 18 new Security Notes and 2 updates to previously released patches. This month’s release features a significant increase in Critical vulnerabilities compared to March, with 3 Critical-severity issues (CVSS 9.8-9.9) that demand immediate attention. This release also includes 5 High-severity vulnerabilities (CVSS 7.7-8.8), 10 Medium-severity issues (CVSS 4.1-6.8), and 1 Low-severity update.
Key Highlight by Severity
This April release highlights severe code injection and authentication vulnerabilities that could lead to a complete system compromise on several key SAP products, marking a notable shift in risk profile from the previous month.
Critical Priority (CVSS 9.8-9.9):
Code Injection vulnerabilities dominate the critical issues this month, including:
- Two severe Code Injection flaws in SAP S/4HANA Private Cloud (#3581961) and SAP Landscape Transformation Analysis Platform (#3587115), both with a CVSS score of 9.9, allowing attackers to potentially execute arbitrary code with high impact on confidentiality, integrity, and availability.
- Authentication Bypass vulnerability in SAP Financial Consolidation (#3572688, CVSS 9.8) enabling unauthenticated attackers to gain admin-level access.
High Priority (CVSS 7.7-8.8):
- Improper Authorization in SAP BusinessObjects BI platform (#3525794, CVSS 8.8), updated from February 2025 Patch Day, allowing user impersonation via secret passphrase retrieval.
- Mixed Dynamic RFC Destination vulnerability in SAP NetWeaver AS ABAP (#3554667, CVSS 8.5) that could expose credentials for remote services.
- TOCTOU Race Condition in Apache Tomcat within SAP Commerce Cloud (#3590984, CVSS 8.1), requiring specific server settings to be exploitable.
- Two Directory Traversal vulnerabilities in SAP Capital Yield Tax Management (#2927164) and SAP NetWeaver ABAP Platform (#3581811), both with CVSS 7.7, enabling unauthorized file access.
Medium Priority (CVSS 4.1-6.8):
- Information disclosure issues in SAP Commerce Cloud (#3543274, CVSS 6.8) related to unencrypted HTTP communication.
- Code Injection vulnerability in SAP ERP BW Business Content (#3571093, CVSS 6.7) that requires local system access.
- Insecure file permissions in SAP BusinessObjects BI Platform (#3565751, CVSS 6.6).
- Multiple Missing Authorization checks across SAP NetWeaver, Solution Manager, and other components.
- Cross-Site Scripting vulnerability in SAP NetWeaver AS ABAP (CVSS 4.7).
Low Priority (CVSS ≤3.5):
- Update to a Server-Side Request Forgery (SSRF) vulnerability in SAP CRM and SAP S/4HANA Interaction Center (#3561861) from March 2025 Patch Day
Main Affected SAP Components
- SAP NetWeaver and ABAP Platform: Multiple vulnerabilities across different components, including high-risk RFC destination vulnerability (CVSS 8.5), directory traversal issue (CVSS 7.7), and several authorization bypasses. Components, including high-risk RFC destination vulnerability (CVSS 8.5), directory traversal issue (CVSS 7.7), and several authorization bypasses.
- SAP Commerce Cloud: Faces several issues including Apache Tomcat vulnerabilities (CVSS
8.1), information disclosure risks related to HTTP/HTTPS implementation (CVSS
6.8), and coupon code exposure concerns. - SAP S/4HANA: Critical code injection vulnerability in Private Cloud edition (CVSS 9.9), plus several lower-severity issues in Core components.
- SAP BusinessObjects BI Platform: High-severity improper authorization flaw (CVSS 8.8) and insecure file permissions issue (CVSS 6.6) affecting
confidentiality and system integrity. - SAP Landscape Transformation: Critical code injection vulnerability (CVSS
9.9) that could allow full system compromise. - SAP Financial Consolidation: Critical authentication bypass vulnerability (CVSS 9.8) enabling unauthenticated access to admin accounts.
Notable Trends
-
Critical vulnerabilities return: After two months without Critical-severity issues, April sees three Critical vulnerabilities with CVSS scores of 9.8-9.9, indicating severe security risks, which require immediate attention.
- Code Injection prominence: Two Critical (CVSS 9.9) and one Medium (CVSS 6.7) vulnerabilities involve code injection, highlighting a concerning attack vector across different SAP products.
- Updates to prior fixes: Two notes (3525794 and #3561861) update previous patches from February and March 2025, continuing the trend of refining earlier security fixes.
- Authentication and authorization issues: A significant portion of this month’s vulnerabilities relate to improper authentication or missing authorization checks, suggesting ongoing challenges in access control implementation.
- Third-party dependencies: Apache Tomcat vulnerability in SAP Commerce Cloud highlights continued supply-chain security concerns similar to March’s findings.
The Bottom Line
April’s release presents a significantly more severe risk profile than March, with three Critical vulnerabilities that could lead to complete system compromise. Organizations should:
1. Prioritize patches for Critical vulnerabilities in SAP S/4HANA Private Cloud, SAP Landscape Transformation, and SAP Financial Consolidation with immediate urgency.
2. Address High-severity issues in NetWeaver AS ABAP (RFC vulnerability) and BusinessObjects BI Platform as secondary priorities.
3. Review configurations for Commerce Cloud’s HTTP/HTTPS settings to mitigate potential information disclosure risks.
4. Implement comprehensive testing before deploying patches, especially for the Critical-severity issues that may impact core system functionality.
This month’s Security Patch Day underscores the importance of maintaining vigilance in SAP security management, with particular attention to preventing code injection attacks and unauthorized access through authentication bypasses. Prompt patching and a defense-in-depth approach remain essential strategies for protecting SAP environments from these evolving threats.