SAP Patchday: 18 new vulnerabilities corrected

In 18 new security bulletins, SAP addresses newly discovered vulnerabilities in numerous products as part of the February Patchday. A handful of these are considered high risk by the company. IT managers should download and install the available updates as soon as possible.

SAP lists the individual security notifications in the patchday overview for February. SAP classifies a vulnerability in BusinessObjects as the most serious. It allows attackers with admin rights to create or obtain secret passphrases and use them to issue arbitrary users in the system(CVE-2025-0064, CVSS 8.7, risk “high”).

SAP: Further high-risk vulnerabilities

SAP's Supplier Relationship Management, on the other hand, is affected by a path traversal vulnerability that allows unauthenticated attackers to download arbitrary files. This allows them to gain access to sensitive information(CVE-2025-25243, CVSS 8.6, high). In the “Node.js” package of SAPS Approuter, malicious actors can bypass authentication. By injecting maliciously manipulated data, they can take over the victim's session(CVE-2025-24876, CVSS 8.1, high).

The security notifications are as follows:

• Improper Authorization in SAP BusinessObjects Business Intelligence platform (Central Management Console), CVE-2025-0064, CVSS 8.7, risk “high”
• Path traversal vulnerability in SAP Supplier Relationship Management (Master Data Management Catalog), CVE-2025-25243, CVSS 8.6, high
• Authentication bypass via authorization code injection in SAP Approuter, CVE-2025-24876, CVSS 8.1, high
• Multiple vulnerabilities in SAP Enterprise Project Connection, CVE-2024-38819, CVSS 7.5, high
• Open Redirect Vulnerability in SAP HANA extended application services, advanced model (User Account and Authentication Services), CVE-2025-24868, CVSS 7.1, high
• SameSite Defense in Depth not applied for some cookies in SAP Commerce, CVE-2025-24875, CVSS 6.8, medium
• Missing Defense in Depth Against Clickjacking in SAP Commerce (Backoffice), CVE-2025-24874, CVSS 6.8, medium
• Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform (BI Launchpad), CVE-2025-24867, CVSS 6.1, medium
• Insecure Key & Secret Management vulnerability in SAP GUI for Windows, CVE-2025-24870, CVSS 6.0, medium
• Multiple vulnerabilities in Apache Solr within SAP Commerce Cloud, CVE-2024-45216, CVE-2024-45217, CVSS 5.5, medium
• Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server Java, CVE-2025-0054], CVSS 5.4, medium
• Missing Authorization check in SAP Fiori Apps Reference Library (My Overtime Requests), CVE-2025-25241, CVSS 5.4, medium
• Missing Authorization Check in SAP NetWeaver and ABAP Platform (SDCCN), CVE-2025-23187, CVSS 5.3, medium
• Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP, CVE-2025-23193, CVSS 5.3, medium
• Information Disclosure vulnerability in SAP NetWeaver Application Server Java, CVE-2025-24869, CVSS 4.3, medium
• Missing Authorization check in SAP ABAP Platform (ABAP Build Framework), CVE-2025-24872, CVSS 4.3, medium
• Missing Authorization check in SAP NetWeaver and ABAP platform (ST-PI), CVE-2025-23190, CVSS 4.3, medium
• Cache Poisoning through header manipulation vulnerability in SAP Fiori for SAP ERP, CVE-2025-23191, CVSS 3.1, low

SAP patched 14 vulnerabilities with updates on the January patch day. Some of these were even considered critical security risks.

(dmk)