SAP has published new security patches as part of March’s SAP Security Patch Day. The updates comprise 21 new notes and 3 updates to earlier notes, covering various components of the SAP system. Below we present an analysis of the most significant patches, with a focus on those of the highest priority.
The most important vulnerabilities - high priority
Vulnerability in SAP NetWeaver (ABAP Class Builder) - CVSS 8.8
Note: 3563927 Title: Missing Authorization Check in SAP NetWeaver (ABAP Class Builder) Product: SAP NetWeaver CVE: CVE-2025-26661 Priority: High
SAP NetWeaver contains an authorisation error that can lead to privilege escalation and unauthorised access to critical data.
Recommended remedial actions:
-
Implement the fix in accordance with SAP’s instructions
-
Restrict access to transaction SA38 to prevent unauthorised use of the ABAP Class Builder function
Vulnerability in SAP Commerce (Swagger UI) - CVSS 8.8
Note: 3569602 Title: Cross-Site Scripting (XSS) in SAP Commerce (Swagger UI) Product: SAP Commerce Cloud CVE: CVE-2025-27434 Priority: High
Insufficient input validation allows an attacker to carry out an XSS attack, which can lead to a breach of the confidentiality, integrity, and availability of the SAP Commerce system.
Recommended remedial actions:
-
Update SAP Commerce Cloud to a version that eliminates the vulnerability
-
Remove Swagger UI or restrict access to it
Vulnerability in Apache Tomcat within SAP Commerce Cloud - CVSS 8.6
Note: 3566851 Title: Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud Product: SAP Commerce Cloud CVE: CVE-2024-38286 Priority: High
SAP Commerce Cloud used a version of Apache Tomcat vulnerable to DoS attacks and errors related to unhandled error conditions.
Recommended remedial actions:
-
Update Apache Tomcat to the latest version provided by SAP
-
Implement appropriate safeguards against DoS attacks
Vulnerability in SAP Approuter - CVSS 8.1
Note: 3567974 Title: Authentication bypass via authorisation code injection in SAP Approuter Product: SAP Approuter (SAP BTP) CVE: CVE-2025-24876 Priority: High SAP Approuter contains a flaw that allows the authentication process to be bypassed. An urgent update to version 16.7.2 or higher is recommended.
Recommended remedial actions:
-
Update SAP Approuter to version 16.7.2 or later
-
Monitor authentication logs to detect potential misuse
Vulnerability in SAP PDCE - CVSS 7.7
Note: 3483344 Title: Missing Authorization Check in SAP PDCE Product: SAP PDCE CVE: CVE-2024-39592 Priority: High Incorrect access control allows an attacker to read sensitive information, which may affect data security within SAP PDCE.
Recommended remedial actions:
-
Implement the fix in accordance with SAP’s instructions
-
Implement additional access control mechanisms in SAP PDCE
Other security notes - medium and low priority
Vulnerability in SAP Business One (Service Layer) - CVSS 6.8
Note: 3561045 Title: Broken authentication in SAP Business One (Service Layer) Product: SAP Business One (Service Layer) CVE: CVE-2025-26658 Priority: Medium
The Service Layer in SAP Business One allows attackers to potentially gain unauthorised access and impersonate other users within the application in order to carry out unauthorised actions.
Recommended remedial actions:
-
Implement the fix in accordance with SAP’s instructions
-
Implement a secure method for generating session identifiers
Vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML) - CVSS 6.1
Note: 3552824 Title: Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML) Product: SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML) CVE: CVE-2025-26659 Priority: Medium
SAP NetWeaver Application Server ABAP does not sufficiently encode user-controlled input, leading to a DOM-based Cross-Site Scripting (XSS) vulnerability.
Recommended remedial actions:
-
Implement the fix in accordance with SAP’s instructions
-
Apply input data validation
Vulnerability in SAP NetWeaver Application Server ABAP - CVSS 6.1
Note: 3562390 Title: Cross-Site Scripting (XSS) in SAP NetWeaver Application Server ABAP Product: SAP NetWeaver Application Server ABAP CVE: CVE-2025-25242 Priority: Medium
SAP NetWeaver Application Server ABAP allows malicious scripts to be executed within the application, potentially leading to a Cross-Site Scripting (XSS) vulnerability. This does not affect the application’s availability, but may have a minor impact on its confidentiality and integrity.
Recommended remedial actions:
-
Implement the fix in accordance with SAP’s instructions
-
Properly encode URL parameters to prevent a successful XSS attack
Vulnerability in SAP Business Warehouse (Process Chains) - CVSS 5.7
Note: 3552144 Title: Missing authorisation check in SAP Business Warehouse (Process Chains) Product: SAP NetWeaver Application Server ABAP CVE: CVE-2025-25244 Priority: Medium
SAP Business Warehouse (Process Chains) allows an attacker to manipulate process execution due to a missing authorisation check. An attacker with permissions to view the process chain object can set one or all processes to be skipped.
Recommended remedial actions:
-
Implement the fix in accordance with SAP’s instructions
-
Secure the skip function within process chains using authorisation checks
Vulnerability in SAP NetWeaver Application Server Java - CVSS 5.4
Note: 3567246 Title: Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server Java Product: SAP NetWeaver Application Server ABAP CVE: CVE-2025-27431 Priority: Medium
The user management functionality in SAP NetWeaver Application Server Java is vulnerable to Stored Cross-Site Scripting (XSS) attacks.
Recommended remedial actions:
-
Implement the fix in accordance with SAP’s instructions
-
Properly encode URL parameters to prevent a successful XSS attack
Vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence) - CVSS 5.4
Note: 3567246 Title: Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence) Product: SAP BusinessObjects Business Intelligence Platform (Web Intelligence) CVE: CVE-2025-25245 Priority: Medium
SAP BusinessObjects Business Intelligence Platform (Web Intelligence) contains a legacy web application endpoint that is not adequately secured.
Recommended remedial actions:
-
Implement the fix in accordance with SAP’s instructions
-
The issue can be fixed by removing the affected endpoint
Vulnerability in SAP NetWeaver Enterprise Portal (OBN component) - CVSS 5.3
Note: 3561792 Title: Missing authentication check in SAP NetWeaver Enterprise Portal (OBN component) Product: SAP NetWeaver Enterprise Portal (OBN component)
CVE: CVE-2025-23194 Priority: Medium
The OBN component of SAP NetWeaver Enterprise Portal does not perform a correct authentication check for a specific configuration setting.
Recommended remedial actions:
-
Implement the fix in accordance with SAP’s instructions
-
Enforce the affected function to correctly check application access restrictions
Vulnerability in SAP Web Dispatcher and Internet Communication Manager - CVSS 4.9
Note: 3558132 Title: Information disclosure vulnerability in SAP Web Dispatcher and Internet Communication Manager Product: SAP Web Dispatcher and Internet Communication Manager
CVE: CVE-2025-0071 Priority: Medium
SAP Web Dispatcher and Internet Communication Manager allow an attacker with administrative privileges to enable a debug tracing mode using a specific parameter value.
Recommended remedial actions:
-
Download and install the latest kernel patch containing all previous fixes.
-
Use the appropriate archive: SAPWEBDISP.SAR for SAP Web Dispatcher, or SAPEXE.SAR/SAPEXEDB.SAR for ICM and the embedded Web Dispatcher
Vulnerability in SAP BusinessObjects Business Intelligence Platform - CVSS 4.7
Note: 3557459 Title: Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence) Product: SAP BusinessObjects Business Intelligence Platform
CVE: CVE-2025-0062 Priority: Medium
SAP BusinessObjects Business Intelligence Platform allows an attacker to inject JavaScript code into Web Intelligence reports.
Recommended remedial actions:
-
Implement the fix in accordance with SAP’s instructions
-
Restrict the Web Intelligence RESTful Web Service to accept only image file types
Vulnerability in SAP S/4HANA (Manage Bank Statements) - CVSS 4.3
Note: 3565835 Title: Access control vulnerabilities in SAP S/4HANA (Manage Bank Statements) Product: SAP S/4HANA (Manage Bank Statements)
CVE: CVE-2025-27433 Priority: Medium
Manage Bank Statements in SAP S/4HANA allows an authenticated attacker to bypass certain functional restrictions and upload files to a reversed bank statement. Manage Bank Statements in SAP S/4HANA does not perform the required access checks for an authenticated user to confirm whether a request to interact with a resource is legitimate, allowing an attacker to delete an attachment from a posted bank statement.
Recommended remedial actions:
-
Implement the fix in accordance with SAP’s instructions
-
The corrective instructions provided add an additional access control to improve the security of data updates
Vulnerability in SAP S/4HANA (RBD) - CVSS 4.3
Note: 3557131 Title: Missing authorisation check in SAP S/4HANA (RBD) Product: SAP S/4HANA (RBD)
CVE: CVE-2025-23188 Priority: Medium
An authenticated user with low privileges can exploit the missing authorisation check in the IBS FS-RBD module, allowing unauthorised access to carry out actions beyond their intended permissions.
Recommended remedial actions:
-
Implement the fix in accordance with SAP’s instructions
-
Update the affected functions to enforce the appropriate access restrictions
Vulnerability in SAP Fiori apps (Posting Library) - CVSS 4.3
Note: 3557655 Title: Broken access control in SAP Fiori apps (Posting Library)
Product: SAP Fiori apps (Posting Library)
CVE: CVE-2025-26660 Priority: Medium
SAP Fiori applications using the posting library do not correctly configure security settings during the configuration process, leaving them at default or inadequately defined values.
Recommended remedial actions:
-
Implement the fix in accordance with SAP’s instructions
-
Add security checks during data updates
Vulnerability in S/4HANA (Manage Purchasing Info Records) - CVSS 4.3
Note: 3474392 Title: Missing authorisation check in S/4HANA (Manage Purchasing Info Records)
Product: S/4HANA (Manage Purchasing Info Records)
CVE: CVE-2025-26656 Priority: Medium
The OData service in Manage Purchasing Info Records does not perform the necessary authorisation checks for an authenticated user, allowing an attacker to escalate privileges.
Recommended remedial actions:
-
Implement the fix in accordance with SAP’s instructions
-
Correct the relevant objects and class code
Update to a security note issued during the August 2024 Patch Day - CVSS 4.3
Note: 3475427 Title: Information disclosure vulnerability in the SAP Permit to Work service
Product: S/4HANA (Manage Purchasing Info Records)
CVE: CVE-2024-41736 Priority: Medium
Under certain conditions, SAP Permit to Work allows an authenticated attacker to access information that would otherwise be restricted, causing a minor impact on the application’s confidentiality.
Recommended remedial actions:
-
Implement the fix in accordance with SAP’s instructions
-
Remove the hard-coded user ID from the mock-up data files
Vulnerability in SAP Business Objects Business Intelligence Platform - CVSS 4.1
Note: 3549494 Title: Information disclosure in SAP Business Objects Business Intelligence Platform
Product: SAP Business Objects Business Intelligence Platform
CVE: CVE-2025-23185 Priority: Medium
Due to improper error handling in SAP Business Objects Business Intelligence Platform, technical application details are disclosed in exceptions thrown to the user and in stack traces.
Recommended remedial actions:
-
Implement the fix in accordance with SAP’s instructions
-
Sanitise and log exceptions/stack traces, passing only a generic error to clients
Vulnerabilities in SAP Commerce Cloud and SAP Datahub - CVSS 3.7
Note: 3562415 Title: Multiple Spring Framework vulnerabilities in SAP Commerce Cloud and SAP Datahub
Product: SAP Commerce Cloud and SAP Datahub
CVE: CVE-2024-38819 Priority: Low
SAP Commerce Cloud and SAP Datahub use versions of the Spring Framework that contain vulnerabilities related to path traversal (CVE-2024-38819) and field manipulation (CVE-2024-38820).
Recommended remedial actions:
-
Update the Spring Framework to version 5.3 in SAP Commerce Cloud and SAP Datahub, eliminating the path traversal and field manipulation vulnerabilities
Vulnerabilities in SAP CRM and SAP S/4HANA (Interaction Center) - CVSS 3.5
Note: 3561861 Title: Server-Side Request Forgery (SSRF) in SAP CRM and SAP S/4HANA (Interaction Center)
Product: SAP CRM and SAP S/4HANA (Interaction Center)
CVE: CVE-2025-27430 Priority: Low
Under certain conditions, an SSRF vulnerability in SAP CRM and SAP S/4HANA (Interaction Center) allows a low-privileged attacker to access restricted information.
Recommended remedial actions:
-
Implement the fix in accordance with SAP’s instructions
-
Remove the additional access token and apply an allow-list approach for SAM message target servers, preventing the collection of restricted information
Vulnerabilities in SAP JIT (Outbound) - CVSS 3.1
Note: 3347991 Title: Missing authorisation check in SAP JIT (Outbound)
Product: SAP JIT (Outbound)
CVE: CVE-2025-26655 Priority: Low
SAP Just In Time (JIT) does not perform the necessary authorisation checks for an authenticated user, allowing an attacker to escalate privileges that would otherwise be restricted, potentially causing a minor impact on the application’s integrity.
Recommended remedial actions:
-
Implement the fix in accordance with SAP’s instructions
-
Implement the required authorisation checks within the transactions
Vulnerabilities in SAP Electronic Invoicing for Brazil (eDocument Cockpit) - CVSS 2.4
Note: 3568865 Title: Missing authorisation check in SAP JIT (Outbound)
Product: SAP Electronic Invoicing for Brazil (eDocument Cockpit)
CVE: CVE-2025-27432 Priority: Low
The eDocument Cockpit (Inbound NF-e) in SAP Electronic Invoicing for Brazil allows an authenticated attacker with certain privileges to gain unauthorised access to any transaction.
Recommended remedial actions:
-
Implement the fix in accordance with SAP’s instructions
-
A permissions check for each transaction will be performed when the user opens an inbound delivery
Best practices for securing Spring Boot Actuator endpoints for applications running on BTP - CVSS 0.0
Note: 3576540 Title: Open Source Security Guide: Best practices for securing Spring Boot Actuator endpoints for applications running on BTP.
Product: BTP
CVE: N/A Priority: Low
Improperly secured Spring Boot Actuator endpoints in Java applications on BTP Cloud Foundry, Kyma, and Neo can lead to unauthorised access, data leakage, and RCE attacks. Proper safeguarding is required.
Conditions that must be met for an application to be exposed:
-
The application is implemented in Spring Boot.
-
The application uses the spring-boot-starter-actuator dependency.
-
Actuator endpoints are enabled in the application configuration (properties/yaml). Note: in default versions, only the “health” endpoint is enabled.
-
There is no authorisation or authentication for these endpoints.
-
The actuator endpoints are not adequately secured (e.g. no integration with a security configuration class).
It is recommended that the Java application developer verify these conditions.
SNOK - your partner in securing SAP systems
SNOK specialises in securing SAP systems and is well placed to assist with the implementation of SAP’s recommendations. Our experience in SAP cybersecurity allows us to effectively identify, analyse, and remediate vulnerabilities, ensuring the security of your critical business systems.
If you need support implementing SAP security patches or a comprehensive security analysis of your SAP environment, get in touch with our team of experts, who will help secure your systems against the latest threats.