SAP Patchday: Critical Netweaver gap and many more fixed

SAP publishes a total of 16 new security alerts in May 2025. Some of them deal with critical security vulnerabilities in various products from the company's business software catalog.

SAP's patchday overview shows that the company's developers consider a vulnerability in SAP Netweaver to be a critical risk. There are also four others with a high threat level.

SAP: Long list of vulnerabilities in May

The list of security notifications sorted in descending order of severity:

• Insecure Deserialization in SAP NetWeaver (Visual Composer development server), CVE-2025-42999 / EUVD-2025-14349, CVSS 9.1, risk “critical”
• Multiple vulnerabilities in SAP Supplier Relationship Management (Live Auction Cockpit), CVE-2025-30018 / EUVD-2025-14337, CVSS 8.6, risk “high”
• Code injection vulnerability in SAP S/4HANA Cloud Private Edition or On Premise(SCM Master Data Layer (MDL)), CVE-2025-43010 / EUVD-2025-14339, CVSS 8.3, risk “high”
• Information Disclosure Vulnerability in SAP Business Objects Business Intelligence Platform (PMW), CVE-2025-43000 / EUVD-2025-14348, CVSS 7.9, risk “high”
• Missing Authorization Check in SAP Landscape Transformation (PCL Basis), CVE-2025-43011 / EUVD-2025-14338, CVSS 7.7, risk “high”
• Information Disclosure vulnerability in SAP Gateway Client, CVE-2025-42997 / EUVD-2025-14350, CVSS 6.6, risk “medium”
• Information Disclosure vulnerability in SAP S/4HANA (Private Cloud & On-Premise), CVE-2025-43003 / EUVD-2025-14346, CVSS 6.4, risk “medium”
• Missing Authorization check in SAP Service Parts Management (SPM), CVE-2025-43009 / EUVD-2025-14340, CVSS 6.3, risk “medium”
• Missing Authorization check in SAP Service Parts Management (SPM), CVE-2025-43007 / EUVD-2025-14342, CVSS 6.3, risk “medium”
• Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform, CVE-2025-31329 / EUVD-2025-14351, CVSS 6.2, risk “medium”
• Cross-Site Scripting (XSS) vulnerability in SAP Supplier Relationship Management (Master Data Management Catalog), CVE-2025-43006 / EUVD-2025-14343, CVSS 6.1, risk “medium”
• Missing Authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal, CVE-2025-43008 / EUVD-2025-14341, CVSS 5.8, risk “medium”
• Security Misconfiguration Vulnerability in SAP Digital Manufacturing (Production Operator Dashboard), CVE-2025-43004 / EUVD-2025-14345, CVSS 5.3, risk “medium”
• Cross-Site Scripting (XSS) vulnerability in the SAP Data Services Management Console, CVE-2025-26662 / EUVD-2025-14356, CVSS 4.4, risk “medium”
• Missing Authorization check in SAP S4/HANA(OData meta-data property), CVE-2025-43002 / EUVD-2025-14347, CVSS 4.3, risk “medium”
• Information disclosure vulnerability in SAP GUI for Windows, CVE-2025-43005 / EUVD-2025-14344, CVSS 4.3, risk “medium”

SAP has also updated the report on the already attacked, critical SAP Netweaver vulnerability CVE-2025-31324 / EUVD-2025-11987 and on a vulnerability in SAP PDCE already reported in July 2024 (CVE-2024-39592 / EUVD-2024-38112, CVSS 7.7, risk “high”).

IT managers should check whether they are using vulnerable software and quickly apply the available updates. A critical security vulnerability in SAP Netweaver recently proved that it is a good idea to apply available updates to SAP software as quickly as possible. At the end of April, it became known that the vulnerability with the highest risk rating, CVSS 10.0, was being actively attacked on the network; despite this, hundreds of vulnerable servers were on the network. Meanwhile, further waves of attacks on the vulnerability CVE-2025-31324 / EUVD-2025-11987 are apparently underway.

The SAP patch day in April brought 18 new security bulletins across the company's software portfolio. These included three that dealt with vulnerabilities classified as critical risks.

(dmk)