SAP© Security Advisories - 07 2025 - SecurityBridge Cloud Platform

We've created the first of its kind, SecurityBridge Cloud Platform, designed to prioritize SAP patches, updates, and remediation strategies that help prevent disruptions to critical business systems. Our security advisories provide SAP users with valuable insights into the security and business implications of operating SAP.

The user interface is designed to be as intuitive as possible, but we’d love to hear your feedback and suggestions.
We hope you enjoy using it!

× Yikes, there is work to do!
This time we found critical correction advisiories. We count 32 and the highest CVSS score is 10.0.

Severity

SAP© Security advisories 32

System Types

Affected SAP© system types

_{Related note}
3578900

_CVSS
10.0

_{Affected system
type}
Java

_Patchday
2025-07

_{Released
on}
2025/05/13

Description
[CVE-2025-30012] Multiple vulnerabilities in SAP Supplier Relationship Management (Live Auction Cockpit)

Security Advisory

_{Related note}
3618955

_CVSS
9.9

_{Affected system
type}
ABAP

_Patchday
2025-07

_{Released
on}
2025/07/08

Description
[CVE-2025-42967] Code Injection vulnerability in SAP S/4HANA and SAP SCM (Characteristic Propagation)

Security Advisory

_{Related note}
3610892

_CVSS
9.1

_{Affected system
type}
Java

_Patchday
2025-07

_{Released
on}
2025/07/08

Description
[CVE-2025-42966] Insecure Deserialization vulnerability in SAP NetWeaver (XML Data Archiving Service)

Security Advisory

_{Related note}
3621236

_CVSS
9.1

_{Affected system
type}
Java

_Patchday
2025-07

_{Released
on}
2025/07/08

Description
[CVE-2025-42964] Insecure Deserialization in SAP NetWeaver Enterprise Portal Administration

Security Advisory

_{Related note}
3620498

_CVSS
9.1

_{Affected system
type}
Java

_Patchday
2025-07

_{Released
on}
2025/07/08

Description
[CVE-2025-42980] Insecure Deserialization in SAP NetWeaver Enterprise Portal Federated Portal Network

Security Advisory

_{Related note}
3621771

_CVSS
9.1

_{Affected system
type}
Java

_Patchday
2025-07

_{Released
on}
2025/07/08

Description
[CVE-2025-42963] Insecure Deserialization in SAP NetWeaver Application Server for Java (Log Viewer )

Security Advisory

_{Related note}
3623440

_CVSS
8.1

_{Affected system
type}
ABAP

_Patchday
2025-07

_{Released
on}
2025/07/08

Description
[CVE-2025-42953] Missing Authorization check in SAP NetWeaver Application Server for ABAP

Security Advisory

_{Related note}
3600846

_CVSS
8.1

_{Affected system
type}
ABAP

_Patchday
2025-07

_{Released
on}
2025/07/08

Description
[CVE-2025-42959] Missing Authentication check after implementation of SAP Security Note 3007182 and 3537476

Security Advisory

_{Related note}
3565279

_CVSS
8.0

_{Affected system
type}
BI/BO platform

_Patchday
2025-07

_{Released
on}
2025/07/08

Description
[CVE-2024-53677] Insecure File Operations vulnerability in SAP Business Objects Business Intelligence Platform (CMC)

Security Advisory

_{Related note}
3623255

_CVSS
7.7

_{Affected system
type}
ABAP

_Patchday
2025-07

_{Released
on}
2025/07/08

Description
[CVE-2025-42952] Missing Authorization check in SAP Business Warehouse and SAP Plug-In Basis

Security Advisory

_{Related note}
3610591

_CVSS
7.6

_{Affected system
type}
ABAP

_Patchday
2025-07

_{Released
on}
2025/06/10

Description
[CVE-2025-42977] Directory Traversal vulnerability in SAP NetWeaver Visual Composer

Security Advisory

_{Related note}
3595143

_CVSS
6.9

_{Affected system
type}
SAPCAR

_Patchday
2025-07

_{Released
on}
2025/07/08

Description
[CVE-2025-43001] Multiple Privilege Escalation Vulnerabilities in SAPCAR

Security Advisory

_{Related note}
3580384

_CVSS
6.7

_{Affected system
type}
ABAP

_Patchday
2025-07

_{Released
on}
2025/06/10

Description
[CVE-2025-42993] Missing Authorization Check in SAP S/4HANA (Enterprise Event Enablement)

Security Advisory

_{Related note}
3617380

_CVSS
6.1

_{Affected system
type}
BI/BO platform

_Patchday
2025-07

_{Released
on}
2025/07/08

Description
[CVE-2025-42985] Open Redirect vulnerability in SAP BusinessObjects Content Administrator workbench

Security Advisory

_{Related note}
3596987

_CVSS
6.1

_{Affected system
type}
ABAP

_Patchday
2025-07

_{Released
on}
2025/07/08

Description
[CVE-2025-42969] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform

Security Advisory

_{Related note}
3604212

_CVSS
6.1

_{Affected system
type}
ABAP

_Patchday
2025-07

_{Released
on}
2025/07/08

Description
[CVE-2025-42962] Cross-Site Scripting (XSS) vulnerability in SAP Business Warehouse (Business Explorer Web 3.5 loading animation)

Security Advisory

_{Related note}
3617131

_CVSS
6.1

_{Affected system
type}
ABAP

_Patchday
2025-07

_{Released
on}
2025/07/08

Description
[CVE-2025-42981] Open Redirect vulnerability in SAP NetWeaver Application Server ABAP

Security Advisory

_{Related note}
3585992

_CVSS
5.8

_{Affected system
type}
ABAP

_Patchday
2025-07

_{Released
on}
2025/05/13

Description
[CVE-2025-43008] Missing Authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal

Security Advisory

_{Related note}
3595156

_CVSS
5.8

_{Affected system
type}
SAPCAR

_Patchday
2025-07

_{Released
on}
2025/07/08

Description
[CVE-2025-42970] Directory Traversal vulnerability in SAPCAR

Security Advisory

_{Related note}
3607513

_CVSS
5.6

_{Affected system
type}
SAP GUI / Frontend

_Patchday
2025-07

_{Released
on}
2025/07/08

Description
[CVE-2025-42979] Insecure Key & Secret Management vulnerability in SAP GUI for Windows

Security Advisory

_{Related note}
3540688

_CVSS
5.5

_{Affected system
type}
ABAP

_Patchday
2025-07

_{Released
on}
2025/07/22

Description
[CVE-2025-42947] Code Injection vulnerability in SAP FICA ODN framework

Security Advisory

_{Related note}
3606103

_CVSS
5.4

_{Affected system
type}
SAP Data Services

_Patchday
2025-07

_{Released
on}
2025/07/08

Description
[CVE-2025-42973] Cross-Site Scripting (XSS) vulnerability in SAP Data Services (DQ Report)

Security Advisory

_{Related note}
3621037

_CVSS
5.0

_{Affected system
type}
ABAP

_Patchday
2025-07

_{Released
on}
2025/07/08

Description
[CVE-2025-42968] Missing Authorization check in SAP NetWeaver (RFC enabled function module)

Security Advisory

_{Related note}
3610322

_CVSS
4.9

_{Affected system
type}
ABAP

_Patchday
2025-07

_{Released
on}
2025/07/08

Description
[CVE-2025-42961] Missing Authorization check in SAP NetWeaver Application Server for ABAP

Security Advisory

_{Related note}
3608991

_CVSS
4.3

_{Affected system
type}
ABAP

_Patchday
2025-07

_{Released
on}
2025/07/08

Description
[CVE-2025-42960] Missing Authorization Check in SAP Business Warehouse and SAP BW/4HANA BEx Tools

Security Advisory

_{Related note}
3626440

_CVSS
4.3

_{Affected system
type}
ABAP

_Patchday
2025-07

_{Released
on}
2025/07/08

Description
[CVE-2025-42986] Missing Authorization check in SAP NetWeaver and ABAP Platform

Security Advisory

_{Related note}
3610056

_CVSS
4.3

_{Affected system
type}
ABAP

_Patchday
2025-07

_{Released
on}
2025/07/08

Description
[CVE-2025-42974] Missing Authorization Check in SAP NetWeaver and ABAP Platform (SDCCN)

Security Advisory

_{Related note}
3598118

_CVSS
4.1

_{Affected system
type}
BI/BO platform

_Patchday
2025-07

_{Released
on}
2025/07/08

Description
[CVE-2025-42965] Server Side Request Forgery(SSRF) vulnerability in SAP BusinessObjects BI Platform Central Management Console Promotion Management Application.

Security Advisory

_{Related note}
3573199

_CVSS
4.1

_{Affected system
type}
BI/BO platform

_Patchday
2025-07

_{Released
on}
2025/07/08

Description
[CVE-2025-31326] HTML Injection vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence)

Security Advisory

_{Related note}
3595141

_CVSS
4.0

_{Affected system
type}
SAPCAR

_Patchday
2025-07

_{Released
on}
2025/07/08

Description
[CVE-2025-42971] Memory Corruption vulnerability in SAPCAR

Security Advisory

_{Related note}
3557179

_CVSS
3.5

_{Affected system
type}
Java

_Patchday
2025-07

_{Released
on}
2025/07/08

Description
[CVE-2025-42978] Insufficiently Secure Hostname Verification for Outbound TLS Connections in SAP NetWeaver Application Server Java

Security Advisory

_{Related note}
3608156

_CVSS
2.7

_{Affected system
type}
ABAP

_Patchday
2025-07

_{Released
on}
2025/07/08

Description
[CVE-2025-42954] Denial of service (DOS) in SAP NetWeaver Business Warehouse (CCAW application).

Security Advisory

Notifications

Severity

SAP© Security advisories 32

System Types

Affected SAP© system types

Related note 3578900

CVSS 10.0

Affected system type Java

Patchday2025-07

Released on2025/05/13

Related note 3618955

CVSS 9.9

Affected system type ABAP

Patchday2025-07

Released on2025/07/08

Related note 3610892

CVSS 9.1

Affected system type Java

Patchday2025-07

Released on2025/07/08

Related note 3621236

CVSS 9.1

Affected system type Java

Patchday2025-07

Released on2025/07/08

Related note 3620498

CVSS 9.1

Affected system type Java

Patchday2025-07

Released on2025/07/08

Related note 3621771

CVSS 9.1

Affected system type Java

Patchday2025-07

Released on2025/07/08

Related note 3623440

CVSS 8.1

Affected system type ABAP

Patchday2025-07

Released on2025/07/08

Related note 3600846

CVSS 8.1

Affected system type ABAP

Patchday2025-07

Released on2025/07/08

Related note 3565279

CVSS 8.0

Affected system type BI/BO platform

Patchday2025-07

Released on2025/07/08

Related note 3623255

CVSS 7.7

Affected system type ABAP

Patchday2025-07

Released on2025/07/08

Related note 3610591

CVSS 7.6

Affected system type ABAP

Patchday2025-07

Released on2025/06/10

Related note 3595143

CVSS 6.9

Affected system type SAPCAR

Patchday2025-07

Released on2025/07/08

Related note 3580384

CVSS 6.7

Affected system type ABAP

Patchday2025-07

Released on2025/06/10

Related note 3617380

CVSS 6.1

Affected system type BI/BO platform

Patchday2025-07

Released on2025/07/08

Related note 3596987

CVSS 6.1

Affected system type ABAP

Patchday2025-07

Released on2025/07/08

_{Related note}
3578900

_CVSS
10.0

_{Affected system
type}
Java

_Patchday
2025-07

_{Released
on}
2025/05/13

_{Related note}
3618955

_CVSS
9.9

_{Affected system
type}
ABAP

_Patchday
2025-07

_{Released
on}
2025/07/08

_{Related note}
3610892

_CVSS
9.1

_{Affected system
type}
Java

_Patchday
2025-07

_{Released
on}
2025/07/08

_{Related note}
3621236

_CVSS
9.1

_{Affected system
type}
Java

_Patchday
2025-07

_{Released
on}
2025/07/08

_{Related note}
3620498

_CVSS
9.1

_{Affected system
type}
Java

_Patchday
2025-07

_{Released
on}
2025/07/08

_{Related note}
3621771

_CVSS
9.1

_{Affected system
type}
Java

_Patchday
2025-07

_{Released
on}
2025/07/08

_{Related note}
3623440

_CVSS
8.1

_{Affected system
type}
ABAP

_Patchday
2025-07

_{Released
on}
2025/07/08

_{Related note}
3600846

_CVSS
8.1

_{Affected system
type}
ABAP

_Patchday
2025-07

_{Released
on}
2025/07/08

_{Related note}
3565279

_CVSS
8.0

_{Affected system
type}
BI/BO platform

_Patchday
2025-07

_{Released
on}
2025/07/08

_{Related note}
3623255

_CVSS
7.7

_{Affected system
type}
ABAP

_Patchday
2025-07

_{Released
on}
2025/07/08

_{Related note}
3610591

_CVSS
7.6

_{Affected system
type}
ABAP

_Patchday
2025-07

_{Released
on}
2025/06/10

_{Related note}
3595143

_CVSS
6.9

_{Affected system
type}
SAPCAR

_Patchday
2025-07

_{Released
on}
2025/07/08

_{Related note}
3580384

_CVSS
6.7

_{Affected system
type}
ABAP

_Patchday
2025-07

_{Released
on}
2025/06/10

_{Related note}
3617380

_CVSS
6.1

_{Affected system
type}
BI/BO platform

_Patchday
2025-07

_{Released
on}
2025/07/08

_{Related note}
3596987

_CVSS
6.1

_{Affected system
type}
ABAP

_Patchday
2025-07

_{Released
on}
2025/07/08

_{Related note}
3604212

_CVSS
6.1

_{Affected system
type}
ABAP

_Patchday
2025-07

_{Released
on}
2025/07/08