SAP Patchday: Critical vulnerabilities allow malicious code to be injected
In August, SAP issues 15 new security notes on vulnerabilities in its products. Some of them pose a critical risk.
(Image: heise medien)
SAP's August Patchday brings 15 new security notes that address, among other things, critical and high-risk vulnerabilities in the company's products. IT managers should apply the updates provided without delay.
The SAP patches overview page also lists four updated, older notes. The most serious is a code-smuggling vulnerability in SAP S/4HANA, which affects both the on-premises and private cloud versions. Attackers with user rights can misuse an error in the function module, which is vulnerable via RFC, and thereby inject arbitrary ABAP code into the system by bypassing “essential authorization checks”. The vulnerability effectively functions as a backdoor with the risk of the system being completely compromised, writes SAP in the vulnerability description (CVE-2025-42957 / EUVD-2025-24203, CVSS 9.9, risk “critical”).
The error description for a vulnerability in SAP Landscape Transformation (SLT) reads identically and achieves the same risk rating (CVE-2025-42950 / EUVD-2025-24206, CVSS 9.9, risk “critical”).
Videos by heise
Further security vulnerabilities in SAP products
A vulnerability in SAP Business One (SLD) has also been given a “high” risk rating. The authorization in it was broken and allows registered attackers to extend their rights (CVE-2025-42951 / EUVD-2025-24205, CVSS 8.8, risk “high”). Several gaps in SAP Netweaver, for example, allow components to crash and thus provoke a denial of service (DoS) (CVE-2025-42976 / EUVD-2025-24201, CVSS 8.1, risk “high”). A cross-site scripting vulnerability also allows unannounced attackers to create links that execute malicious code in Netweaver (CVE-2025-42975 / EUVD-2025-24202, CVSS 6.1, “medium” risk).
Other vulnerabilities with medium or low severity also affect SAP S/4HANA (Bank Communication Management), SAP NetWeaver Application Server ABAP, SAP NetWeaver ABAP Platform, SAP NetWeaver Application Server ABAP (apps based on SAP GUI for HTML), SAP GUI for Windows, SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Manager), SAP Cloud Connector, and SAP Fiori (Launchpad).
The SAP patch day in July was much more extensive: the Walldorf-based company published 27 security notes, five of which addressed vulnerabilities classified as critical risks.
(dmk)
