On April 8, 2025, SAP, a leading enterprise software provider, issued 18 new and two updated security notes as part of its April 2025 Security Patch Day. Among these, three critical vulnerabilities have been identified and addressed, underscoring the company’s commitment to maintaining the security and integrity of its products.
Critical Vulnerabilities Addressed:
1. Code Injection Flaws in S/4HANA and Landscape Transformation:
– CVE-2025-27429 and CVE-2025-31330 (CVSS Score: 9.9): These vulnerabilities pertain to code injection issues found in SAP’s S/4HANA (Private Cloud) and Landscape Transformation (Analysis Platform). Notably, both CVEs reference the same underlying security defect. The identified function module, if left unpatched, accepts arbitrary text input and generates an ABAP report using the INSERT REPORT statement. Exploitation requires S_RFC authorization on the specific function module or its corresponding function group. SAP’s remediation involves disabling the vulnerable function module to prevent potential exploitation.
2. Authentication Bypass in Financial Consolidation:
– CVE-2025-30016 (CVSS Score: 9.8): This vulnerability is an authentication bypass issue within SAP’s Financial Consolidation product. An unauthenticated attacker could exploit this flaw to impersonate an administrator user, potentially leading to unauthorized access and control over financial data. SAP has addressed this issue by implementing stricter authentication mechanisms to prevent unauthorized access.
Additional High-Severity Vulnerabilities:
Beyond the critical vulnerabilities, SAP’s April 2025 Patch Day also addressed several high-severity issues:
– Improper Authorization in BusinessObjects Business Intelligence Platform: An updated security note resolves an improper authorization flaw that could have allowed unauthorized access to sensitive business intelligence data.
– Vulnerabilities in NetWeaver Application Server ABAP, Commerce Cloud, and Capital Yield Tax Management: These include a race condition in Apache Tomcat within Commerce Cloud. Exploitation of this particular issue requires three specific conditions, none of which are enabled by default, thereby reducing the immediate risk.
Medium and Low-Severity Vulnerabilities:
SAP also released fixes for ten medium-severity and one low-severity vulnerabilities affecting various products, including Commerce Cloud, ERP BW Business Content, BusinessObjects, KMC WPC, and NetWeaver. While these vulnerabilities pose a lower risk compared to the critical and high-severity issues, SAP recommends applying the patches promptly to maintain system security.
Recommendations for SAP Users:
SAP strongly advises all users to review the security notes and apply the necessary patches without delay. Timely application of these updates is crucial to protect SAP systems from potential exploitation, ensuring the confidentiality, integrity, and availability of enterprise data.
Conclusion:
SAP’s proactive approach in identifying and addressing these vulnerabilities highlights the importance of regular system updates and vigilance in cybersecurity practices. Organizations utilizing SAP products should prioritize these patches to safeguard their systems against potential threats.
