SAP© Security Advisories - 2025 - SecurityBridge Cloud Platform

We've created the first of its kind, SecurityBridge Cloud Platform, designed to prioritize SAP patches, updates, and remediation strategies that help prevent disruptions to critical business systems. Our security advisories provide SAP users with valuable insights into the security and business implications of operating SAP.

The user interface is designed to be as intuitive as possible, but we’d love to hear your feedback and suggestions.
We hope you enjoy using it!

× Yikes, there is work to do!
This time we found critical correction advisiories. We count 59 and the highest CVSS score is 9.9.

Severity

SAP© Security advisories 59

System Types

Affected SAP© system types

_{Related note}
3567974

_CVSS
8.1

_{Affected system
type}
SAP Approuter

_Patchday
2025-03

_{Released
on}
2025/02/11

Description
[CVE-2025-24876] Authentication bypass via authorization code injection in SAP Approuter

Security Advisory

_{Related note}
3549494

_CVSS
4.1

_{Affected system
type}
BI/BO platform

_Patchday
2025-03

_{Released
on}
2025/03/11

Description
[CVE-2025-23185] Information Disclosure in SAP Business Objects Business Intelligence Platform

Security Advisory

_{Related note}
3568865

_CVSS
2.4

_{Affected system
type}
ABAP

_Patchday
2025-03

_{Released
on}
2025/03/11

Description
[CVE-2025-27432] Missing Authorization check in SAP Electronic Invoicing for Brazil (eDocument Cockpit)

Security Advisory

_{Related note}
3561861

_CVSS
3.5

_{Affected system
type}
ABAP

_Patchday
2025-03

_{Released
on}
2025/03/11

Description
[CVE-2025-27430] Server Side Request Forgery (SSRF) in SAP CRM and SAP S/4 HANA (Interaction Center)

Security Advisory

_{Related note}
3576540

_CVSS
0.0

_{Affected system
type}
BTP

_Patchday
2025-03

_{Released
on}
2025/03/11

Description
Open Source Security Advisory: Best Practices for Securing Spring Boot Actuator Endpoints for applications running on BTP

Security Advisory

_{Related note}
3557459

_CVSS
4.7

_{Affected system
type}
BI/BO platform

_Patchday
2025-03

_{Released
on}
2025/03/11

Description
[CVE-2025-0062] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence)

Security Advisory

_{Related note}
3557469

_CVSS
5.4

_{Affected system
type}
BI/BO platform

_Patchday
2025-03

_{Released
on}
2025/03/11

Description
[CVE-2025-25245] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence)

Security Advisory

_{Related note}
3561792

_CVSS
5.3

_{Affected system
type}
Java

_Patchday
2025-03

_{Released
on}
2025/03/11

Description
[CVE-2025-23194] Missing Authentication check in SAP NetWeaver Enterprise Portal (OBN component)

Security Advisory

_{Related note}
3567246

_CVSS
5.4

_{Affected system
type}
Java

_Patchday
2025-03

_{Released
on}
2025/03/11

Description
[CVE-2025-27431] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server Java

Security Advisory

_{Related note}
3562390

_CVSS
6.1

_{Affected system
type}
ABAP

_Patchday
2025-03

_{Released
on}
2025/03/11

Description
[CVE-2025-25242] Cross-Site Scripting (XSS) in SAP NetWeaver Application Server ABAP

Security Advisory

_{Related note}
3561045

_CVSS
6.8

_{Affected system
type}
SAP Business One

_Patchday
2025-03

_{Released
on}
2025/03/11

Description
[CVE-2025-26658] Broken Authentication in SAP Business One (Service Layer)

Security Advisory

_{Related note}
3557655

_CVSS
4.3

_{Affected system
type}
ABAP

_Patchday
2025-03

_{Released
on}
2025/03/11

Description
[CVE-2025-26660] Broken Access Control in SAP Fiori apps (Posting Library)

Security Advisory

_{Related note}
3552144

_CVSS
5.7

_{Affected system
type}
ABAP

_Patchday
2025-03

_{Released
on}
2025/03/11

Description
[CVE-2025-25244] Missing Authorization Check in SAP Business Warehouse (Process Chains)

Security Advisory

_{Related note}
3552824

_CVSS
6.1

_{Affected system
type}
ABAP

_Patchday
2025-03

_{Released
on}
2025/03/11

Description
[CVE-2025-26659] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)

Security Advisory

_{Related note}
3558132

_CVSS
4.9

_{Affected system
type}
Kernel

_Patchday
2025-03

_{Released
on}
2025/03/11

Description
[CVE-2025-0071] Information Disclosure vulnerability in SAP Web Dispatcher and Internet Communication Manager

Security Advisory

_{Related note}
3562415

_CVSS
3.7

_{Affected system
type}
SAP Commerce Cloud SAP DataHub

_Patchday
2025-03

_{Released
on}
2025/03/11

Description
[CVE-2024-38819] Multiple vulnerabilities in Spring Framework within SAP Commerce Cloud and SAP Datahub

Security Advisory

_{Related note}
3563927

_CVSS
8.8

_{Affected system
type}
ABAP

_Patchday
2025-03

_{Released
on}
2025/03/11

Description
[CVE-2025-26661] Missing Authorization check in SAP NetWeaver (ABAP Class Builder)

Security Advisory

_{Related note}
3475427

_CVSS
4.3

_{Affected system
type}
SAP Fiori

_Patchday
2025-03

_{Released
on}
2024/08/13

Description
[CVE-2024-41736] Information Disclosure vulnerability in SAP Permit to Work

Security Advisory

_{Related note}
3483344

_CVSS
7.7

_{Affected system
type}
ABAP

_Patchday
2025-03

_{Released
on}
2024/07/09

Description
[CVE-2024-39592] Missing Authorization check in SAP PDCE

Security Advisory

_{Related note}
3565835

_CVSS
4.3

_{Affected system
type}
ABAP

_Patchday
2025-03

_{Released
on}
2025/03/11

Description
[CVE-2025-27433] Broken Access Control vulnerabilities in SAP S/4HANA (Manage Bank Statements)

Security Advisory

_{Related note}
3566851

_CVSS
8.6

_{Affected system
type}
SAP Commerce Cloud

_Patchday
2025-03

_{Released
on}
2025/03/11

Description
[CVE-2024-38286] Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud

Security Advisory

_{Related note}
3557131

_CVSS
4.3

_{Affected system
type}
ABAP

_Patchday
2025-03

_{Released
on}
2025/03/11

Description
[CVE-2025-23188] Missing Authorization check in SAP S/4HANA (RBD)

Security Advisory

_{Related note}
3474392

_CVSS
4.3

_{Affected system
type}
ABAP

_Patchday
2025-03

_{Released
on}
2025/03/11

Description
[CVE-2025-26656] Missing Authorization check in S/4HANA (Manage Purchasing Info Records)

Security Advisory

_{Related note}
3347991

_CVSS
3.1

_{Affected system
type}
ABAP

_Patchday
2025-03

_{Released
on}
2025/02/24

Description
[CVE-2025-26655] Missing Authorization check in SAP JIT(Outbound)

Security Advisory

_{Related note}
3569602

_CVSS
8.8

_{Affected system
type}
SAP Commerce

_Patchday
2025-03

_{Released
on}
2025/03/11

Description
[CVE-2025-27434] Cross-Site Scripting (XSS) vulnerability in SAP Commerce (Swagger UI)

Security Advisory

_{Related note}
3557138

_CVSS
6.1

_{Affected system
type}
Java

_Patchday
2025-02

_{Released
on}
2025/02/11

Description
Update 1 to Security Note 3417627 - [CVE-2024-22126] Cross Site Scripting vulnerability in NetWeaver AS Java (User Admin Application)

Security Advisory

_{Related note}
3555364

_CVSS
6.8

_{Affected system
type}
SAP Commerce Cloud

_Patchday
2025-02

_{Released
on}
2025/02/11

Description
[CVE-2025-24875] SameSite Defense in Depth not applied for some cookies in SAP Commerce

Security Advisory

_{Related note}
3563929

_CVSS
7.1

_{Affected system
type}
SAP HANA Platform

_Patchday
2025-02

_{Released
on}
2025/02/11

Description
[CVE-2025-24868] Open Redirect Vulnerability in SAP HANA extended application services, advanced model (User Account and Authentication Services)

Security Advisory

_{Related note}
3525794

_CVSS
8.7

_{Affected system
type}
BI/BO platform

_Patchday
2025-02

_{Released
on}
2025/02/11

Description
[CVE-2025-0064] Improper Authorization in SAP BusinessObjects Business Intelligence platform (Central Management Console)

Security Advisory

_{Related note}
3540273

_CVSS
5.5

_{Affected system
type}
SAP Commerce Cloud

_Patchday
2025-02

_{Released
on}
2025/02/11

Description
[CVE-2024-45216] Multiple vulnerabilities in Apache Solr within SAP Commerce Cloud

Security Advisory

_{Related note}
3567551

_CVSS
8.6

_{Affected system
type}
Java

_Patchday
2025-02

_{Released
on}
2025/02/11

Description
[CVE-2025-25243] Path traversal vulnerability in SAP Supplier Relationship Management (Master Data Management Catalog)

Security Advisory

_{Related note}
3559510

_CVSS
6.8

_{Affected system
type}
SAP Commerce Cloud

_Patchday
2025-02

_{Released
on}
2025/02/11

Description
[CVE-2025-24874] Missing Defense in Depth Against Clickjacking in SAP Commerce (Backoffice)

Security Advisory

_{Related note}
3550027

_CVSS
4.3

_{Affected system
type}
Java

_Patchday
2025-02

_{Released
on}
2025/02/11

Description
[CVE-2025-24869] Information Disclosure vulnerability in SAP NetWeaver Application Server Java

Security Advisory

_{Related note}
3561264

_CVSS
5.3

_{Affected system
type}
ABAP

_Patchday
2025-02

_{Released
on}
2025/02/11

Description
[CVE-2025-23193] Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP

Security Advisory

_{Related note}
3445708

_CVSS
6.1

_{Affected system
type}
BI/BO platform

_Patchday
2025-02

_{Released
on}
2025/02/11

Description
[CVE-2025-24867] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform (BI Launchpad)

Security Advisory

_{Related note}
3546470

_CVSS
5.3

_{Affected system
type}
ABAP

_Patchday
2025-02

_{Released
on}
2025/02/11

Description
[CVE-2025-23187] Missing Authorization Check in SAP NetWeaver and ABAP Platform (SDCCN)

Security Advisory

_{Related note}
3526203

_CVSS
5.4

_{Affected system
type}
Java

_Patchday
2025-02

_{Released
on}
2025/02/11

Description
[CVE-2025-0054] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server Java

Security Advisory

_{Related note}
3532025

_CVSS
5.4

_{Affected system
type}
ABAP

_Patchday
2025-02

_{Released
on}
2025/02/11

Description
[CVE-2025-25241] Missing Authorization check in SAP Fiori Apps Reference Library (My Overtime Requests)

Security Advisory

_{Related note}
3417627

_CVSS
8.8

_{Affected system
type}
Java

_Patchday
2025-02

_{Released
on}
2024/02/13

Description
[CVE-2024-22126] Cross Site Scripting vulnerability in NetWeaver AS Java (User Admin Application)

Security Advisory

_{Related note}
3567172

_CVSS
7.5

_{Affected system
type}
SAP Enterprise...

_Patchday
2025-02

_{Released
on}
2025/02/11

Description
[CVE-2024-38819] Multiple vulnerabilities in SAP Enterprise Project Connection

Security Advisory

_{Related note}
3562336

_CVSS
6.0

_{Affected system
type}
SAP GUI / Frontend

_Patchday
2025-02

_{Released
on}
2025/02/11

Description
[CVE-2025-24870] Insecure Key & Secret Management vulnerability in SAP GUI for Windows

Security Advisory

_{Related note}
3426825

_CVSS
3.1

_{Affected system
type}
ABAP

_Patchday
2025-02

_{Released
on}
2025/02/11

Description
[CVE-2025-23191] Cache Poisoning through header manipulation vulnerability in SAP Fiori for SAP ERP

Security Advisory

_{Related note}
3287784

_CVSS
5.3

_{Affected system
type}
Java

_Patchday
2025-02

_{Released
on}
2023/04/11

Description
[CVE-2023-24527] Improper Access Control in SAP NetWeaver AS Java for Deploy Service

Security Advisory

_{Related note}
3547581

_CVSS
4.3

_{Affected system
type}
ABAP

_Patchday
2025-02

_{Released
on}
2025/02/11

Description
[CVE-2025-23190] Missing Authorization check in SAP NetWeaver and ABAP platform (ST-PI)

Security Advisory

_{Related note}
3553753

_CVSS
4.3

_{Affected system
type}
ABAP

_Patchday
2025-02

_{Released
on}
2025/02/11

Description
[CVE-2025-24872] Missing Authorization check in SAP ABAP Platform (ABAP Build Framework)

Security Advisory

_{Related note}
3492169

_CVSS
2.2

_{Affected system
type}
BI/BO platform

_Patchday
2025-01

_{Released
on}
2025/01/14

Description
Multiple Buffer overflow vulnerabilities in SAP BusinessObjects Business Intelligence Platform (Crystal Reports for Enterprise)

Security Advisory

_{Related note}
3537476

_CVSS
9.9

_{Affected system
type}
Kernel

_Patchday
2025-01

_{Released
on}
2025/01/14

Description
[CVE-2025-0070] Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform

Security Advisory

_{Related note}
3550708

_CVSS
9.9

_{Affected system
type}
ABAP

_Patchday
2025-01

_{Released
on}
2025/01/14

Description
[CVE-2025-0066] Information Disclosure vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform(Internet Communication Framework)

Security Advisory

_{Related note}
3503138

_CVSS
6.0

_{Affected system
type}
SAP GUI / Frontend

_Patchday
2025-01

_{Released
on}
2025/01/14

Description
[CVE-2025-0059] Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)

Security Advisory

_{Related note}
3514421

_CVSS
4.8

_{Affected system
type}
Java

_Patchday
2025-01

_{Released
on}
2025/01/14

Description
[CVE-2025-0057] Cross-Site Scripting vulnerability in SAP NetWeaver AS JAVA (User Admin Application)

Security Advisory

_{Related note}
3550816

_CVSS
8.8

_{Affected system
type}
ABAP

_Patchday
2025-01

_{Released
on}
2025/01/14

Description
[CVE-2025-0063] SQL Injection vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform

Security Advisory

_{Related note}
3542533

_CVSS
7.8

_{Affected system
type}
SAPSetup

_Patchday
2025-01

_{Released
on}
2025/01/14

Description
[CVE-2025-0069] DLL Hijacking vulnerability in SAPSetup

Security Advisory

_{Related note}
3540108

_CVSS
6.3

_{Affected system
type}
Java

_Patchday
2025-01

_{Released
on}
2025/01/14

Description
[CVE-2025-0067] Missing Authorization check in SAP NetWeaver Application Server Java

Security Advisory

_{Related note}
3536461

_CVSS
5.3

_{Affected system
type}
ABAP

_Patchday
2025-01

_{Released
on}
2025/01/14

Description
[CVE-2025-0053] Information Disclosure Vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform

Security Advisory

_{Related note}
3472837

_CVSS
6.0

_{Affected system
type}
SAP GUI / Frontend

_Patchday
2025-01

_{Released
on}
2025/01/14

Description
[CVE-2025-0055] Information Disclosure vulnerability in SAP GUI for Windows

Security Advisory

_{Related note}
3474398

_CVSS
8.7

_{Affected system
type}
BI/BO platform

_Patchday
2025-01

_{Released
on}
2025/01/14

Description
[CVE-2025-0061] Multiple vulnerabilities in SAP BusinessObjects Business Intelligence Platform

Security Advisory

_{Related note}
3502459

_CVSS
6.0

_{Affected system
type}
SAP GUI / Frontend

_Patchday
2025-01

_{Released
on}
2025/01/14

Description
[CVE-2025-0056] Information Disclosure vulnerability in SAP GUI for Java

Security Advisory

_{Related note}
3542698

_CVSS
6.5

_{Affected system
type}
ABAP

_Patchday
2025-01

_{Released
on}
2025/01/14

Description
[CVE-2025-0058] Information Disclosure vulnerability in SAP Business Workflow and SAP Flexible Workflow

Security Advisory

_{Related note}
3550674

_CVSS
4.3

_{Affected system
type}
ABAP

_Patchday
2025-01

_{Released
on}
2025/01/14

Description
[CVE-2025-0068] Missing Authorization check in Remote Function Call (RFC) in SAP NetWeaver Application Server ABAP

Security Advisory

Notifications

Severity

SAP© Security advisories 59

System Types

Affected SAP© system types

Related note 3567974

CVSS 8.1

Affected system type SAP Approuter

Patchday2025-03

Released on2025/02/11

Related note 3549494

CVSS 4.1

Affected system type BI/BO platform

Patchday2025-03

Released on2025/03/11

Related note 3568865

CVSS 2.4

Affected system type ABAP

Patchday2025-03

Released on2025/03/11

Related note 3561861

CVSS 3.5

Affected system type ABAP

Patchday2025-03

Released on2025/03/11

Related note 3576540

CVSS 0.0

Affected system type BTP

Patchday2025-03

Released on2025/03/11

Related note 3557459

CVSS 4.7

Affected system type BI/BO platform

Patchday2025-03

Released on2025/03/11

Related note 3557469

CVSS 5.4

Affected system type BI/BO platform

Patchday2025-03

Released on2025/03/11

Related note 3561792

CVSS 5.3

Affected system type Java

Patchday2025-03

Released on2025/03/11

Related note 3567246

CVSS 5.4

Affected system type Java

Patchday2025-03

Released on2025/03/11

Related note 3562390

CVSS 6.1

Affected system type ABAP

Patchday2025-03

Released on2025/03/11

Related note 3561045

CVSS 6.8

Affected system type SAP Business One

Patchday2025-03

Released on2025/03/11

Related note 3557655

CVSS 4.3

Affected system type ABAP

Patchday2025-03

Released on2025/03/11

Related note 3552144

CVSS 5.7

Affected system type ABAP

Patchday2025-03

Released on2025/03/11

Related note 3552824

CVSS 6.1

Affected system type ABAP

Patchday2025-03

Released on2025/03/11

Related note 3558132

CVSS 4.9

Affected system type Kernel

Patchday2025-03

Released on2025/03/11

_{Related note}
3567974

_CVSS
8.1

_{Affected system
type}
SAP Approuter

_Patchday
2025-03

_{Released
on}
2025/02/11

_{Related note}
3549494

_CVSS
4.1

_{Affected system
type}
BI/BO platform

_Patchday
2025-03

_{Released
on}
2025/03/11

_{Related note}
3568865

_CVSS
2.4

_{Affected system
type}
ABAP

_Patchday
2025-03

_{Released
on}
2025/03/11

_{Related note}
3561861

_CVSS
3.5

_{Affected system
type}
ABAP

_Patchday
2025-03

_{Released
on}
2025/03/11

_{Related note}
3576540

_CVSS
0.0

_{Affected system
type}
BTP

_Patchday
2025-03

_{Released
on}
2025/03/11

_{Related note}
3557459

_CVSS
4.7

_{Affected system
type}
BI/BO platform

_Patchday
2025-03

_{Released
on}
2025/03/11

_{Related note}
3557469

_CVSS
5.4

_{Affected system
type}
BI/BO platform

_Patchday
2025-03

_{Released
on}
2025/03/11

_{Related note}
3561792

_CVSS
5.3

_{Affected system
type}
Java

_Patchday
2025-03

_{Released
on}
2025/03/11

_{Related note}
3567246

_CVSS
5.4

_{Affected system
type}
Java

_Patchday
2025-03

_{Released
on}
2025/03/11

_{Related note}
3562390

_CVSS
6.1

_{Affected system
type}
ABAP

_Patchday
2025-03

_{Released
on}
2025/03/11

_{Related note}
3561045

_CVSS
6.8

_{Affected system
type}
SAP Business One

_Patchday
2025-03

_{Released
on}
2025/03/11

_{Related note}
3557655

_CVSS
4.3

_{Affected system
type}
ABAP

_Patchday
2025-03

_{Released
on}
2025/03/11

_{Related note}
3552144

_CVSS
5.7

_{Affected system
type}
ABAP

_Patchday
2025-03

_{Released
on}
2025/03/11

_{Related note}
3552824

_CVSS
6.1

_{Affected system
type}
ABAP

_Patchday
2025-03

_{Released
on}
2025/03/11

_{Related note}
3558132

_CVSS
4.9

_{Affected system
type}
Kernel

_Patchday
2025-03

_{Released
on}
2025/03/11

_{Related note}
3562415

_CVSS
3.7

_{Affected system
type}
SAP Commerce Cloud SAP DataHub

_Patchday
2025-03

_{Released
on}
2025/03/11