SAP Security Notes - 07/25 - SecurityBridge Cloud

.no-js-class { display: none; } body { background-color: #fff; }

No JavaScript!

It seems your browser does not support JavaScript or it was disable by purpose! We use JavaScript to improve the user experience. Please consider enabling it for a better usability.

We've created the first of its kind, SecurityBridge Cloud Platform, designed to prioritize SAP patches, updates, and remediation strategies that help prevent disruptions to critical business systems. Our security advisories provide SAP users with valuable insights into the security and business implications of operating SAP.

The user interface is designed to be as intuitive as possible, but we’d love to hear your feedback and suggestions.

×

Yikes, there is work to do!
This time we found critical correction advisiories. We count 23 and the highest CVSS score is 10.0.

Severity

SAP© Security advisories 23

System Types

Affected SAP© system types

3578900

CVSS

10.0

Affected system type Java

Patchday 2025-07

Released on 2025/05/13

Description [CVE-2025-30012] Multiple vulnerabilities in SAP Supplier Relationship Management (Live Auction Cockpit)

Security Advisory

3618955

CVSS

9.9

Affected system type ABAP

Patchday 2025-07

Released on 2025/07/08

Description [CVE-2025-42967] Code Injection vulnerability in SAP S/4HANA and SAP SCM (Characteristic Propagation)

Security Advisory

3621771

CVSS

9.1

Affected system type Java

Patchday 2025-07

Released on 2025/07/08

Description [CVE-2025-42963] Insecure Deserialization in SAP NetWeaver Application Server for Java (Log Viewer )

Security Advisory

3621236

CVSS

9.1

Affected system type Java

Patchday 2025-07

Released on 2025/07/08

Description [CVE-2025-42964] Insecure Deserialization in SAP NetWeaver Enterprise Portal Administration

Security Advisory

3620498

CVSS

9.1

Affected system type Java

Patchday 2025-07

Released on 2025/07/08

Description [CVE-2025-42980] Insecure Deserialization in SAP NetWeaver Enterprise Portal Federated Portal Network

Security Advisory

3623440

CVSS

8.1

Affected system type ABAP

Patchday 2025-07

Released on 2025/07/08

Description [CVE-2025-42953] Missing Authorization check in SAP NetWeaver Application Server for ABAP

Security Advisory

3565279

CVSS

8.0

Affected system type BI/BO platform

Patchday 2025-07

Released on 2025/07/08

Description [CVE-2024-53677] Insecure File Operations vulnerability in SAP Business Objects Business Intelligence Platform (CMC)

Security Advisory

3623255

CVSS

7.7

Affected system type ABAP

Patchday 2025-07

Released on 2025/07/08

Description [CVE-2025-42952] Missing Authorization check in SAP Business Warehouse and SAP Plug-In Basis

Security Advisory

3610591

CVSS

7.6

Affected system type ABAP

Patchday 2025-07

Released on 2025/06/10

Description [CVE-2025-42977] Directory Traversal vulnerability in SAP NetWeaver Visual Composer

Security Advisory

3595143

CVSS

6.9

Affected system type SAPCAR

Patchday 2025-07

Released on 2025/07/08

Description [CVE-2025-43001] Multiple Privilege Escalation Vulnerabilities in SAPCAR

Security Advisory

3580384

CVSS

6.7

Affected system type ABAP

Patchday 2025-07

Released on 2025/06/10

Description [CVE-2025-42993] Missing Authorization Check in SAP S/4HANA (Enterprise Event Enablement)

Security Advisory

3617380

CVSS

6.1

Affected system type BI/BO platform

Patchday 2025-07

Released on 2025/07/08

Description [CVE-2025-42985] Open Redirect vulnerability in SAP BusinessObjects Content Administrator workbench

Security Advisory

3604212

CVSS

6.1

Affected system type ABAP

Patchday 2025-07

Released on 2025/07/08

Description [CVE-2025-42962] Cross-Site Scripting (XSS) vulnerability in SAP Business Warehouse (Business Explorer Web 3.5 loading animation)

Security Advisory

3595156

CVSS

5.8

Affected system type SAPCAR

Patchday 2025-07

Released on 2025/07/08

Description [CVE-2025-42970] Directory Traversal vulnerability in SAPCAR

Security Advisory

3607513

CVSS

5.6

Affected system type SAP GUI / Frontend

Patchday 2025-07

Released on 2025/07/08

Description [CVE-2025-42979] Insecure Key & Secret Management vulnerability in SAP GUI for Windows

Security Advisory

3606103

CVSS

5.4

Affected system type SAP Data Services

Patchday 2025-07

Released on 2025/07/08

Description [CVE-2025-42973] Cross-Site Scripting (XSS) vulnerability in SAP Data Services (DQ Report)

Security Advisory

3621037

CVSS

5.0

Affected system type ABAP

Patchday 2025-07

Released on 2025/07/08

Description [CVE-2025-42968] Missing Authorization check in SAP NetWeaver (RFC enabled function module)

Security Advisory

3610056

CVSS

4.3

Affected system type ABAP

Patchday 2025-07

Released on 2025/07/08

Description [CVE-2025-42974] Missing Authorization Check in SAP NetWeaver and ABAP Platform (SDCCN)

Security Advisory

3608991

CVSS

4.3

Affected system type ABAP

Patchday 2025-07

Released on 2025/07/08

Description [CVE-2025-42960] Missing Authorization Check in SAP Business Warehouse and SAP BW/4HANA BEx Tools

Security Advisory

3598118

CVSS

4.1

Affected system type BI/BO platform

Patchday 2025-07

Released on 2025/07/08

Description [CVE-2025-42965] Server Side Request Forgery(SSRF) vulnerability in SAP BusinessObjects BI Platform Central Management Console Promotion Management Application.

Security Advisory

3573199

CVSS

4.1

Affected system type BI/BO platform

Patchday 2025-07

Released on 2025/07/08

Description [CVE-2025-31326] HTML Injection vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence)

Security Advisory

3595141

CVSS

4.0

Affected system type SAPCAR

Patchday 2025-07

Released on 2025/07/08

Description [CVE-2025-42971] Memory Corruption vulnerability in SAPCAR

Security Advisory

3608156

CVSS

2.7

Affected system type ABAP

Patchday 2025-07

Released on 2025/07/08

Description [CVE-2025-42954] Denial of service (DOS) in SAP NetWeaver Business Warehouse (CCAW application).

Security Advisory