SAP: Critical security vulnerability patched out of turn
SAP organizes monthly patchdays. A critical security vulnerability is now forcing the company to update out of turn.
There are security gaps in SAP products.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
IT managers can usually rely on a monthly schedule for installing SAP security updates. This time, just before the weekend, things are different: the Walldorf-based software group is patching a critical security vulnerability with a maximum rating of CVSS 10 out of 10 out of turn. Admins should take action quickly.
SAP issued a vulnerability report in the course of Thursday. "SAP NetWeaver Visual Composer Metadata Uploader is not protected by proper authorization, which allows unauthenticated attackers to upload potentially malicious executable binaries that can severely damage the system," the company's developers write there (CVE-2025-31324, CVSS 10.0, risk"critical").
Critical security vulnerability in SAP Netweaver
SAP does not provide any further details, not even on the updated overview page for the April Patchday, which has been extended to include the entry. However, there are two updated security notes that have become necessary since the initial release around two weeks ago and two other security notices out of sequence. However, these deal with security vulnerabilities in SAP S/4 HANA and SAP Field Logistics, which only have a medium threat level.
Videos by heise
IT managers with vulnerable SAP Netweaver instances should apply the updates provided immediately. They are available to registered admins via the channels known to them.
The April Patchday regularly takes place on the second Tuesday of the month. In April, SAP published 18 security bulletins on vulnerabilities in various products. Some of these were already considered a critical risk, but none of the security leaks achieved the worst possible classification with a CVSS score of 10 (out of a maximum possible 10 points).
(dmk)
