On August 12, 2025, SAP released a comprehensive security update as part of its monthly Security Patch Day, addressing 15 new vulnerabilities across its enterprise software suite. This update is particularly significant due to the inclusion of three critical code injection flaws that pose substantial risks to organizations worldwide. Additionally, SAP provided updates to four previously released security notes, underscoring its commitment to proactively managing emerging threats within its applications.
Key Highlights:
1. Critical Code Injection Vulnerabilities: Three critical vulnerabilities in SAP S/4HANA and the Landscape Transformation platform have been identified, each with a maximum CVSS score of 9.9. These flaws enable remote code execution, potentially allowing attackers to gain complete control over affected systems.
2. Low Attack Complexity: The identified vulnerabilities require minimal privileges and have low attack complexity, making them easily exploitable and increasing the urgency for immediate remediation.
3. Broad Impact Across SAP Products: A total of 15 vulnerabilities have been addressed, affecting key SAP platforms such as NetWeaver, Business One, and core SAP systems, necessitating prompt patching to maintain system integrity.
In-Depth Analysis of Critical Vulnerabilities:
The three critical vulnerabilities addressed in this patch cycle are among the most severe ever documented in SAP systems:
– CVE-2025-42957: This vulnerability affects SAP S/4HANA Private Cloud and On-Premise installations across versions S4CORE 102 through 108. It allows authenticated attackers to execute arbitrary code with elevated privileges, potentially leading to full system compromise.
– CVE-2025-42950: Targeting the SAP Landscape Transformation Analysis Platform, this flaw impacts multiple DMIS versions from 2011_1_700 to 2020. Exploitation could result in unauthorized code execution, jeopardizing system security.
– CVE-2025-27429: An update to a previously released security note from April 2025, this vulnerability indicates the discovery of additional attack vectors or incomplete remediation in earlier patches. It underscores the necessity for continuous vigilance and prompt application of security updates.
These code injection vulnerabilities exploit insufficient input validation within SAP’s ABAP runtime environment. By injecting and executing unauthorized code through network-accessible interfaces, attackers can compromise entire SAP landscapes and access sensitive business data. The low attack complexity (AC:L) and minimal privilege requirements (PR:L) make these vulnerabilities particularly attractive to cybercriminals. The Changed scope designation (S:C) indicates that successful exploitation could impact resources beyond the vulnerable component, potentially leading to complete system compromise.
Additional Vulnerabilities Addressed:
Beyond the critical code injection flaws, SAP’s September 2025 Security Patch Day also addresses a range of other security weaknesses:
– Authorization Bypass (CVE-2025-42951): A high-severity vulnerability in SAP Business One SLD, with a CVSS score of 8.8, affects versions B1_ON_HANA 10.0 and SAP-M-BO 10.0. Exploitation could allow unauthorized access to sensitive data and system functions.
– Cross-Site Scripting (XSS) Vulnerabilities: Multiple XSS vulnerabilities have been identified in the SAP NetWeaver Application Server ABAP ecosystem, including CVE-2025-42976 and CVE-2025-42975, each with a CVSS score of 8.1. These flaws could enable attackers to inject malicious scripts, compromising user sessions and data integrity.
– Directory Traversal (CVE-2025-42946): A medium-severity vulnerability in SAP S/4HANA Bank Communication Management, with a CVSS score of 6.9, could allow attackers to access restricted directories and files, leading to unauthorized information disclosure.
– HTML Injection (CVE-2025-42945): This medium-severity vulnerability in SAP NetWeaver Application Server ABAP, with a CVSS score of 6.1, could enable attackers to inject malicious HTML content, potentially leading to phishing attacks or unauthorized actions.
– Information Disclosure (CVE-2025-0059): A medium-severity vulnerability in SAP NetWeaver Application Server ABAP, with a CVSS score of 6.0, could result in unauthorized access to sensitive information, compromising data confidentiality.
Recommendations for Organizations:
Given the severity and breadth of the vulnerabilities addressed in this patch cycle, organizations utilizing SAP systems should take the following actions:
1. Immediate Patch Deployment: Prioritize the application of the latest security patches, focusing on the critical code injection vulnerabilities to prevent potential system compromises.
2. Review and Restrict Access Controls: Evaluate and tighten access controls, particularly concerning the S_DMIS authorization object, to minimize the risk of unauthorized access.
3. Implement Robust Monitoring: Establish continuous monitoring of system logs to detect suspicious activities, such as unusual Remote Function Call (RFC) executions or the creation of new high-privilege user accounts.
4. Enhance System Segmentation: Ensure that critical systems are properly segmented and that robust backup procedures are in place to facilitate rapid recovery in the event of a security incident.
5. Stay Informed: Regularly consult SAP’s Support Portal and security advisories to stay updated on emerging threats and recommended mitigation strategies.
By proactively addressing these vulnerabilities and implementing the recommended security measures, organizations can significantly reduce the risk of exploitation and safeguard their SAP environments against potential cyber threats.
