SAP Patchday: 18 vulnerability reports, some are critical

On Tuesday this week, SAP published the security bulletins for the April Patchday. In total, the Walldorf-based company addresses vulnerabilities in 18 security bulletins. Three of these are considered critical security risks, while four are considered high risks.

SAP lists the individual bulletins in the patchday overview. The descriptions there do not go into great detail; admins can find these after logging into their SAP account under the SAP-linked note number.

SAP: Critical security vulnerabilities

The critical vulnerabilities allow attackers to inject and execute malicious code in SAP S/4HANA (Private Cloud) (CVE-2025-27429, CVSS 9.9, risk “critical”) and SAP Landscape Transformation (Analysis Platform) (CVE-2025-31330, CVSS 9.9, risk “critical”). Malicious actors can also bypass authentication in SAP Financial Consolidation (CVE-2025-30016, CVSS 9.8, “critical” risk).

IT managers should check whether the software used in their networks is among the programs affected by vulnerabilities and quickly install the available updates. The current security messages from SAP, sorted by risk classification:

• Code Injection Vulnerability in SAP S/4HANA (Private Cloud), CVE-2025-27429, CVSS 9.9, risk “critical”
• Code Injection Vulnerability in SAP Landscape Transformation (Analysis Platform), CVE-2025-31330, CVSS 9.9, critical
• Authentication Bypass Vulnerability in SAP Financial Consolidation, CVE-2025-30016, CVSS 9.8, critical
• Mixed Dynamic RFC Destination vulnerability through Remote Function Call (RFC) in SAP NetWeaver Application Server ABAP, CVE-2025-23186, CVSS 8.5, high
• Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat within SAP Commerce Cloud, CVE-2024-56337, CVSS 8.1, high
• Directory traversal vulnerability in SAP Capital Yield Tax Management, CVE-2025-30014, CVSS 7.7, high
• Directory Traversal vulnerability in SAP NetWeaver and ABAP Platform (Service Data Collection), CVE-2025-27428, CVSS 7.7, high
• Potential information disclosure vulnerability in SAP Commerce Cloud (Public Cloud), CVE-2025-26654, CVSS 6.8, medium
• Code injection vulnerability in SAP ERP BW Business Content, CVE-2025-30013, CVSS 6.7, medium
• Insecure File permissions vulnerability in SAP BusinessObjects Business Intelligence Platform, CVE-2025-31332, CVSS 6.6, medium
• Information disclosure vulnerability in SAP KMC WPC, CVE-2025-26657, CVSS 5.3, medium
• Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML), CVE-2025-26653, CVSS 4.7, medium
• Missing Authorization check in SAP Solution Manager, CVE-2025-30017, CVSS 4.4, medium
• Odata meta-data tampering in SAP S4CORE entity, CVE-2025-31333, CVSS 4.3, medium
• Missing Authorization check in SAP NetWeaver Application Server ABAP (Virus Scan Interface), CVE-2025-27437, CVSS 4.3, medium
• Authorization Bypass vulnerability in SAP NetWeaver, CVE-2025-31331, CVSS 4.3, medium
• Information Disclosure Vulnerability in SAP Commerce Cloud, CVE-2025-27435, CVSS 4.2, medium
• Memory Corruption vulnerability in SAP NetWeaver and ABAP Platform (Application Server ABAP), CVE-2025-30015, CVSS 4.1, medium

SAP has also updated two older security notifications. One concerns the SAP BusinessObjects Business Intelligence Platform, in which a high-risk vulnerability was initially discovered in February, and the other concerns a Server-Side Request Forgery (SSRF) in SAP CRM and SAP S/4 HANA with low severity, which was originally addressed in March.

In March, SAP dealt with 22 security notifications relating to numerous vulnerabilities in the company's software. In February, the number of security notifications was the same as in April with 18, but the highest threat level of the vulnerabilities was “high” risk.

(dmk)