SAP released a comprehensive security update on July 8, 2025, addressing 27 new vulnerabilities across its enterprise software portfolio, with seven classified as critical requiring immediate attention.
The July 2025 Patch Day also included updates to three previously released security notes, reflecting SAP’s ongoing commitment to maintaining robust security postures for enterprise customers.
Organizations are strongly advised to prioritize the deployment of these patches to protect their SAP landscapes from potential security breaches.
The most severe vulnerabilities in this month’s release include a critical insecure deserialization flaw in SAP Supplier Relationship Management’s Live Auction Cockpit (CVE-2025-30012) with a maximum CVSS score of 10.0.
This vulnerability, originally disclosed in May 2025, has been updated with additional related CVEs including CVE-2025-30009, CVE-2025-30010, CVE-2025-30011, and CVE-2025-30018, affecting SRM_SERVER version 7.14.
Multiple critical deserialization vulnerabilities plague SAP NetWeaver components, each scoring 9.1 on the CVSS scale.
These include unsafe Java deserialization in NetWeaver’s XML Data Archiving Service (CVE-2025-42966), Enterprise Portal Administration (CVE-2025-42964), Federated Portal Network (CVE-2025-42980), and Application Server for Java Log Viewer (CVE-2025-42963). All affected systems run on EP-RUNTIME 7.50 or similar versions.
A code injection vulnerability in SAP S/4HANA and SAP SCM’s Characteristic Propagation component (CVE-2025-42967) rounds out the critical category, affecting multiple product versions including SCMAPO 713-714, S4CORE 102-104, and SCM 700-712 series.
SAP’s July 2025 Patch Day
The July patch release includes eight high-priority vulnerabilities primarily focused on authentication and authorization bypass issues.
Notable among these is CVE-2025-42959, which addresses missing authentication checks in SAP NetWeaver ABAP Server and ABAP Platform following the implementation of previous security notes 3007182 and 3537476. This vulnerability affects numerous SAP_BASIS versions from 700 through 915.
Cross-site scripting (XSS) vulnerabilities feature prominently in the medium-priority category, with three separate CVEs targeting different SAP components.
CVE-2025-42969 affects NetWeaver Application Server ABAP and ABAP Platform, while CVE-2025-42962 impacts Business Warehouse’s Business Explorer Web 3.5 loading animation.
Additionally, CVE-2025-42973 addresses XSS issues in SAP Data Services DQ Report functionality.
SAPCAR utility vulnerabilities represent another significant concern, with multiple CVEs addressing privilege escalation (CVE-2025-43001, CVE-2025-42992), directory traversal (CVE-2025-42970), and memory corruption (CVE-2025-42971) issues across versions 7.53 and 7.22EXT.
SAP Product Portfolio
SAP’s security advisory addressed that customers should immediately assess their environments for affected components and implement patches according to their criticality levels.
This month’s security update demonstrates the breadth of SAP’s security monitoring efforts, spanning core platforms including NetWeaver, S/4HANA, Business Objects, and specialized components like Visual Composer and Data Services.
The vulnerabilities range from infrastructure-level issues in application servers to application-specific flaws in business intelligence tools.
Authorization bypass vulnerabilities constitute a significant portion of the medium-priority fixes, with multiple CVEs addressing missing authorization checks across various SAP components including Business Warehouse, BEx Tools, and RFC-enabled function modules.
These vulnerabilities typically score between 4.3 and 5.0 on the CVSS scale but remain important for maintaining proper access controls.
The presence of seven critical vulnerabilities, particularly those involving deserialization flaws, underscores the urgent need for security teams to prioritize these updates in their patch management cycles.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
