On August 12, 2025, SAP released its monthly Security Patch Day addressing 15 new vulnerabilities across multiple SAP products, marking one of the year’s most significant security updates.
The release includes three critical code injection vulnerabilities with maximum CVSS scores of 9.9, alongside four updates to previously released security notes.
The most severe vulnerability, CVE-2025-42957, affects SAP S/4HANA systems running on Private Cloud or On-Premise deployments.
This critical vulnerability allows attackers with user privileges to exploit a function module exposed via RFC (Remote Function Call), enabling the injection of arbitrary ABAP code into the system while bypassing essential authorization checks.
Security researchers describe this vulnerability as effectively functioning as a backdoor, creating risks of full system compromise and undermining the confidentiality, integrity, and availability of affected systems.
The second critical injection vulnerability, CVE-2025-42950, targets SAP Landscape Transformation (Analysis Platform) with an identical CVSS score of 9.9.
This vulnerability affects multiple versions including DMIS 2011_1_700 through 2020, presenting similar risks of code injection that could lead to complete system takeover.
SAP Security Patch Day Fixes 15 Vulnerabilities
Beyond the critical injection vulnerabilities, SAP August patch release addresses several high and medium-priority vulnerabilities that pose significant security risks to enterprise environments.
CVE-2025-42942 and CVE-2025-42948 both carry CVSS scores of 6.1 and could enable attackers to execute malicious scripts in users’ browsers, potentially leading to session hijacking, credential theft, or unauthorized actions on behalf of legitimate users.
CVE-2025-42951 represents a broken authorization vulnerability in SAP Business One (SLD) with a CVSS score of 8.8, potentially allowing unauthorized access to sensitive business data and functions.
The patch day also includes multiple cross-site scripting (XSS) vulnerabilities affecting SAP NetWeaver Application Server components.
CVE-2025-42976 addresses multiple vulnerabilities in SAP NetWeaver Application Server ABAP’s BIC Document component, accompanied by an additional CVE-2025-42975.
This vulnerability affects numerous versions across S4COREOP and SEM-BW platforms with a CVSS score of 8.1, highlighting the broad impact on SAP’s enterprise application infrastructure.
Updated Security Notes
SAP’s August release includes four important updates to security notes originally published in previous patch cycles, demonstrating the company’s commitment to addressing evolving threats and refining security fixes.
SAP strongly recommends that customers visit the Support Portal and apply patches with priority to protect their SAP landscape, particularly given the active exploitation of similar vulnerabilities observed throughout 2025.
The most notable update involves CVE-2025-27429, originally released in April 2025, which addresses a code injection vulnerability in SAP S/4HANA with the same critical CVSS score of 9.9.
Additional updates include CVE-2025-0059, an information disclosure vulnerability in SAP NetWeaver Application Server ABAP affecting applications based on SAP GUI for HTML, and CVE-2025-23194, addressing missing authentication checks in SAP NetWeaver Enterprise Portal’s OBN component.
These updates reflect SAP’s ongoing efforts to strengthen security measures based on new threat intelligence and customer feedback.
The company’s security team continues to work with security researchers and threat intelligence organizations to identify and remediate critical vulnerabilities before they can be exploited by malicious actors.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
