SAP Patchday: Another critical security vulnerability in Netweaver

SAP has published 14 security releases for the June patchday. In these, the company's developers address security vulnerabilities in various products, some of which are critical. IT managers should quickly install the software updates provided.

In the SAP Patchday overview, the manufacturer lists the individual security notes for the vulnerabilities. The most serious vulnerability affects the SAP Netweaver Application Server for ABAP. The processing of certain incoming communications omits the necessary authorization checks for authenticated users, allowing malicious actors to extend their rights (CVE-2025-42989 / EUVD-2025-17599, CVSS 9.6, risk "critical").

Five other vulnerabilities have been classified as high risk, six as medium risk and two as low risk.

List of SAP security notes

The vulnerabilities in detail, sorted by severity:

• Missing Authorization check in SAP NetWeaver Application Server for ABAP, CVE-2025-42989 / EUVD-2025-17599, CVSS 9.6, risk "critical"
• Information Disclosure in SAP GRC (AC Plugin), CVE-2025-42982 / EUVD-2025-17604, CVSS 8.8, risk "high"
• Missing Authorization check in SAP Business Warehouse and SAP Plug-In Basis, CVE-2025-42983 / EUVD-2025-17603, CVSS 8.5, risk "high"
• Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence (BI Workspace), CVE-2025-23192 / EUVD-2025-17607, CVSS 8.2, risk "high"
• Directory Traversal vulnerability in SAP NetWeaver Visual Composer, CVE-2025-42977 / EUVD-2025-17605, CVSS 7.6, risk "high"
• Multiple vulnerabilities in SAP MDM Server, CVE-2025-42994 / EUVD-2025-17595, CVSS 7.5, risk "high"
• Missing Authorization Check in SAP S/4HANA (Enterprise Event Enablement), CVE-2025-42993 / EUVD-2025-17596, CVSS 6.7, risk "medium"
• Cross-Site Scripting (XSS) Vulnerability in SAP NetWeaver (ABAP Keyword Documentation), CVE-2025-31325 / EUVD-2025-17606, CVSS 5.8, risk "medium"
• Missing Authorization check in SAP S/4HANA (Manage Central Purchase Contract application), CVE-2025-42984 / EUVD-2025-17602, CVSS 5.4, risk "medium"
• Security misconfiguration vulnerability in SAP Business One Integration Framework, CVE-2025-42998 / EUVD-2025-17592, CVSS 5.3, risk "medium"
• Missing Authorization Check in SAP S/4HANA (Manage Processing Rules - For Bank Statement), CVE-2025-42987 / EUVD-2025-17601, CVSS 4.3, risk"medium"
• Missing Authorization check in SAP S/4HANA (Bank Account Application), CVE-2025-42991 / EUVD-2025-17597, CVSS 4.3, risk "medium"
• Server-side request forgery in SAP Business Objects Business Intelligence Platform, CVE-2025-42988 / EUVD-2025-17600, CVSS 3.7, risk "low"
• HTML Injection in Unprotected SAPUI5 applications, CVE-2025-42990 / EUVD-2025-17598, CVSS 3.0, risk "low"

The SAP patchday in May brought security updates for vulnerabilities from 16 security notes. Here too, a critical vulnerability in SAP Netweaver posed the greatest risk of the security leaks covered.

(dmk)