SAP patch day: manufacturer plugs security gaps, some of them critical
In January, SAP issued 14 security notifications and associated updates for its products. Two of these are considered critical.
There are security gaps in SAP products.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
SAP is celebrating the first patch day of the still young year 2025 and is addressing 14 security vulnerabilities in several products. Two of these have been given the highest risk rating of"critical". IT managers should therefore install the available updates as quickly as possible.
The manufacturer lists the individual security notifications in SAP's patchday overview. Logged-in users can gain unauthorized access to the system in SAP NetWeaver Application Server for ABAP and ABAP Platform, as insufficient authentication checks allow an extension of rights (CVE-2025-0070, CVSS 9.9, risk"critical"). In addition, attackers can gain unauthorized access to sensitive information in SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework) under undisclosed, specific conditions, which is due to "weak access controls" (CVE-2025-0066, CVSS 9.9, critical).
SAP: Critical and high-risk vulnerabilities
The developers also classify three other vulnerabilities as high risk. They can be found in SAP NetWeaver AS for ABAP and ABAP Platform, SAP BusinessObjects Business Intelligence Platform and SAPSetup. Admins should also quickly apply the available updates for these vulnerabilities.
Videos by heise
An overview of the individual security vulnerabilities in SAP products that will be addressed on January Patchday:
- Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform CVE-2025-0070, CVSS 9.9, critical
- Information Disclosure vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform(Internet Communication Framework) CVE-2025-0066, CVSS 9.9, critical
- SQL Injection vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform CVE-2025-0063, CVSS 8.8, high
- Multiple vulnerabilities in SAP BusinessObjects Business Intelligence Platform CVE-2025-0061, CVSS 8.7, high; CVE-2025-0060, CVSS 6.5, medium
- DLL Hijacking vulnerability in SAPSetup CVE-2025-0069, CVSS 7.8, high
- Information Disclosure vulnerability in SAP Business Workflow and SAP Flexible Workflow CVE-2025-0058, CVSS 6.5, medium
- Missing Authorization check in SAP NetWeaver Application Server Java CVE-2025-0067, CVSS 6.3, medium
- Information Disclosure vulnerability in SAP GUI for Windows CVE-2025-0055, CVSS 6.0, medium
- Information Disclosure vulnerability in SAP GUI for Java CVE-2025-0056, CVSS 6.0, medium
- Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML) CVE-2025-0059, CVSS 6.0, medium
- Information Disclosure Vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform CVE-2025-0053, CVSS 5.3, medium
- Cross-Site Scripting vulnerability in SAP NetWeaver AS JAVA (User Admin Application) CVE-2025-00578, CVSS 4.8, medium
- Missing Authorization check in Remote Function Call (RFC) in SAP NetWeaver Application Server ABAP CVE-2025-0068, CVSS 4.3, medium
- Multiple buffer overflow vulnerabilities in SAP BusinessObjects Business Intelligence Platform (Crystal Reports for Enterprise) CVE-2024-29133, CVSS 2.2, low; CVE-2024-29131, no CVSS, low
In December last year, SAP addressed nine newly discovered security vulnerabilities. The company's developers also updated four older security reports with new information.
(dmk)
