Skip to content

Safe Tuesday with SNOK: Latest SAP security patches - March 2025

SAP has published new security patches as part of March's SAP Security Patch Day. The updates comprise 21 new notes and 3 updates to earlier notes,…

SAP has published new security patches as part of March’s SAP Security Patch Day. The updates comprise 21 new notes and 3 updates to earlier notes, covering various components of the SAP system. Below we present an analysis of the most significant patches, with a focus on those of the highest priority.

The most important vulnerabilities - high priority

Vulnerability in SAP NetWeaver (ABAP Class Builder) - CVSS 8.8

Note: 3563927 Title: Missing Authorization Check in SAP NetWeaver (ABAP Class Builder) Product: SAP NetWeaver CVE: CVE-2025-26661 Priority: High

SAP NetWeaver contains an authorisation error that can lead to privilege escalation and unauthorised access to critical data.

Recommended remedial actions:

  • Implement the fix in accordance with SAP’s instructions

  • Restrict access to transaction SA38 to prevent unauthorised use of the ABAP Class Builder function

Vulnerability in SAP Commerce (Swagger UI) - CVSS 8.8

Note: 3569602 Title: Cross-Site Scripting (XSS) in SAP Commerce (Swagger UI) Product: SAP Commerce Cloud CVE: CVE-2025-27434 Priority: High

Insufficient input validation allows an attacker to carry out an XSS attack, which can lead to a breach of the confidentiality, integrity, and availability of the SAP Commerce system.

Recommended remedial actions:

  • Update SAP Commerce Cloud to a version that eliminates the vulnerability

  • Remove Swagger UI or restrict access to it

Vulnerability in Apache Tomcat within SAP Commerce Cloud - CVSS 8.6

Note: 3566851 Title: Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud Product: SAP Commerce Cloud CVE: CVE-2024-38286 Priority: High

SAP Commerce Cloud used a version of Apache Tomcat vulnerable to DoS attacks and errors related to unhandled error conditions.

Recommended remedial actions:

  • Update Apache Tomcat to the latest version provided by SAP

  • Implement appropriate safeguards against DoS attacks

Vulnerability in SAP Approuter - CVSS 8.1

Note: 3567974 Title: Authentication bypass via authorisation code injection in SAP Approuter Product: SAP Approuter (SAP BTP) CVE: CVE-2025-24876 Priority: High SAP Approuter contains a flaw that allows the authentication process to be bypassed. An urgent update to version 16.7.2 or higher is recommended.

Recommended remedial actions:

  • Update SAP Approuter to version 16.7.2 or later

  • Monitor authentication logs to detect potential misuse

Vulnerability in SAP PDCE - CVSS 7.7

Note: 3483344 Title: Missing Authorization Check in SAP PDCE Product: SAP PDCE CVE: CVE-2024-39592 Priority: High Incorrect access control allows an attacker to read sensitive information, which may affect data security within SAP PDCE.

Recommended remedial actions:

  • Implement the fix in accordance with SAP’s instructions

  • Implement additional access control mechanisms in SAP PDCE

Other security notes - medium and low priority

Vulnerability in SAP Business One (Service Layer) - CVSS 6.8

Note: 3561045 Title: Broken authentication in SAP Business One (Service Layer) Product: SAP Business One (Service Layer) CVE: CVE-2025-26658 Priority: Medium

The Service Layer in SAP Business One allows attackers to potentially gain unauthorised access and impersonate other users within the application in order to carry out unauthorised actions.

Recommended remedial actions:

  • Implement the fix in accordance with SAP’s instructions

  • Implement a secure method for generating session identifiers

Vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML) - CVSS 6.1

Note: 3552824 Title: Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML) Product: SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML) CVE: CVE-2025-26659 Priority: Medium

SAP NetWeaver Application Server ABAP does not sufficiently encode user-controlled input, leading to a DOM-based Cross-Site Scripting (XSS) vulnerability.

Recommended remedial actions:

  • Implement the fix in accordance with SAP’s instructions

  • Apply input data validation

Vulnerability in SAP NetWeaver Application Server ABAP - CVSS 6.1

Note: 3562390 Title: Cross-Site Scripting (XSS) in SAP NetWeaver Application Server ABAP Product: SAP NetWeaver Application Server ABAP CVE: CVE-2025-25242 Priority: Medium

SAP NetWeaver Application Server ABAP allows malicious scripts to be executed within the application, potentially leading to a Cross-Site Scripting (XSS) vulnerability. This does not affect the application’s availability, but may have a minor impact on its confidentiality and integrity.

Recommended remedial actions:

  • Implement the fix in accordance with SAP’s instructions

  • Properly encode URL parameters to prevent a successful XSS attack

Vulnerability in SAP Business Warehouse (Process Chains) - CVSS 5.7

Note: 3552144 Title: Missing authorisation check in SAP Business Warehouse (Process Chains) Product: SAP NetWeaver Application Server ABAP CVE: CVE-2025-25244 Priority: Medium

SAP Business Warehouse (Process Chains) allows an attacker to manipulate process execution due to a missing authorisation check. An attacker with permissions to view the process chain object can set one or all processes to be skipped.

Recommended remedial actions:

  • Implement the fix in accordance with SAP’s instructions

  • Secure the skip function within process chains using authorisation checks

Vulnerability in SAP NetWeaver Application Server Java - CVSS 5.4

Note: 3567246 Title: Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server Java Product: SAP NetWeaver Application Server ABAP CVE: CVE-2025-27431 Priority: Medium

The user management functionality in SAP NetWeaver Application Server Java is vulnerable to Stored Cross-Site Scripting (XSS) attacks.

Recommended remedial actions:

  • Implement the fix in accordance with SAP’s instructions

  • Properly encode URL parameters to prevent a successful XSS attack

Vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence) - CVSS 5.4

Note: 3567246 Title: Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence) Product: SAP BusinessObjects Business Intelligence Platform (Web Intelligence) CVE: CVE-2025-25245 Priority: Medium

SAP BusinessObjects Business Intelligence Platform (Web Intelligence) contains a legacy web application endpoint that is not adequately secured.

Recommended remedial actions:

  • Implement the fix in accordance with SAP’s instructions

  • The issue can be fixed by removing the affected endpoint

Vulnerability in SAP NetWeaver Enterprise Portal (OBN component) - CVSS 5.3

Note: 3561792 Title: Missing authentication check in SAP NetWeaver Enterprise Portal (OBN component) Product: SAP NetWeaver Enterprise Portal (OBN component)

CVE: CVE-2025-23194 Priority: Medium

The OBN component of SAP NetWeaver Enterprise Portal does not perform a correct authentication check for a specific configuration setting.

Recommended remedial actions:

  • Implement the fix in accordance with SAP’s instructions

  • Enforce the affected function to correctly check application access restrictions

Vulnerability in SAP Web Dispatcher and Internet Communication Manager - CVSS 4.9

Note: 3558132 Title: Information disclosure vulnerability in SAP Web Dispatcher and Internet Communication Manager Product: SAP Web Dispatcher and Internet Communication Manager

CVE: CVE-2025-0071 Priority: Medium

SAP Web Dispatcher and Internet Communication Manager allow an attacker with administrative privileges to enable a debug tracing mode using a specific parameter value.

Recommended remedial actions:

  • Download and install the latest kernel patch containing all previous fixes.

  • Use the appropriate archive: SAPWEBDISP.SAR for SAP Web Dispatcher, or SAPEXE.SAR/SAPEXEDB.SAR for ICM and the embedded Web Dispatcher

Vulnerability in SAP BusinessObjects Business Intelligence Platform - CVSS 4.7

Note: 3557459 Title: Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence) Product: SAP BusinessObjects Business Intelligence Platform

CVE: CVE-2025-0062 Priority: Medium

SAP BusinessObjects Business Intelligence Platform allows an attacker to inject JavaScript code into Web Intelligence reports.

Recommended remedial actions:

  • Implement the fix in accordance with SAP’s instructions

  • Restrict the Web Intelligence RESTful Web Service to accept only image file types

Vulnerability in SAP S/4HANA (Manage Bank Statements) - CVSS 4.3

Note: 3565835 Title: Access control vulnerabilities in SAP S/4HANA (Manage Bank Statements) Product: SAP S/4HANA (Manage Bank Statements)

CVE: CVE-2025-27433 Priority: Medium

Manage Bank Statements in SAP S/4HANA allows an authenticated attacker to bypass certain functional restrictions and upload files to a reversed bank statement. Manage Bank Statements in SAP S/4HANA does not perform the required access checks for an authenticated user to confirm whether a request to interact with a resource is legitimate, allowing an attacker to delete an attachment from a posted bank statement.

Recommended remedial actions:

  • Implement the fix in accordance with SAP’s instructions

  • The corrective instructions provided add an additional access control to improve the security of data updates

Vulnerability in SAP S/4HANA (RBD) - CVSS 4.3

Note: 3557131 Title: Missing authorisation check in SAP S/4HANA (RBD) Product: SAP S/4HANA (RBD)

CVE: CVE-2025-23188 Priority: Medium

An authenticated user with low privileges can exploit the missing authorisation check in the IBS FS-RBD module, allowing unauthorised access to carry out actions beyond their intended permissions.

Recommended remedial actions:

  • Implement the fix in accordance with SAP’s instructions

  • Update the affected functions to enforce the appropriate access restrictions

Vulnerability in SAP Fiori apps (Posting Library) - CVSS 4.3

Note: 3557655 Title: Broken access control in SAP Fiori apps (Posting Library)

Product: SAP Fiori apps (Posting Library)

CVE: CVE-2025-26660 Priority: Medium

SAP Fiori applications using the posting library do not correctly configure security settings during the configuration process, leaving them at default or inadequately defined values.

Recommended remedial actions:

  • Implement the fix in accordance with SAP’s instructions

  • Add security checks during data updates

Vulnerability in S/4HANA (Manage Purchasing Info Records) - CVSS 4.3

Note: 3474392 Title: Missing authorisation check in S/4HANA (Manage Purchasing Info Records)

Product: S/4HANA (Manage Purchasing Info Records)

CVE: CVE-2025-26656 Priority: Medium

The OData service in Manage Purchasing Info Records does not perform the necessary authorisation checks for an authenticated user, allowing an attacker to escalate privileges.

Recommended remedial actions:

  • Implement the fix in accordance with SAP’s instructions

  • Correct the relevant objects and class code

Update to a security note issued during the August 2024 Patch Day - CVSS 4.3

Note: 3475427 Title: Information disclosure vulnerability in the SAP Permit to Work service

Product: S/4HANA (Manage Purchasing Info Records)

CVE: CVE-2024-41736 Priority: Medium

Under certain conditions, SAP Permit to Work allows an authenticated attacker to access information that would otherwise be restricted, causing a minor impact on the application’s confidentiality.

Recommended remedial actions:

  • Implement the fix in accordance with SAP’s instructions

  • Remove the hard-coded user ID from the mock-up data files

Vulnerability in SAP Business Objects Business Intelligence Platform - CVSS 4.1

Note: 3549494 Title: Information disclosure in SAP Business Objects Business Intelligence Platform

Product: SAP Business Objects Business Intelligence Platform

CVE: CVE-2025-23185 Priority: Medium

Due to improper error handling in SAP Business Objects Business Intelligence Platform, technical application details are disclosed in exceptions thrown to the user and in stack traces.

Recommended remedial actions:

  • Implement the fix in accordance with SAP’s instructions

  • Sanitise and log exceptions/stack traces, passing only a generic error to clients

Vulnerabilities in SAP Commerce Cloud and SAP Datahub - CVSS 3.7

Note: 3562415 Title: Multiple Spring Framework vulnerabilities in SAP Commerce Cloud and SAP Datahub

Product: SAP Commerce Cloud and SAP Datahub

CVE: CVE-2024-38819 Priority: Low

SAP Commerce Cloud and SAP Datahub use versions of the Spring Framework that contain vulnerabilities related to path traversal (CVE-2024-38819) and field manipulation (CVE-2024-38820).

Recommended remedial actions:

  • Update the Spring Framework to version 5.3 in SAP Commerce Cloud and SAP Datahub, eliminating the path traversal and field manipulation vulnerabilities

Vulnerabilities in SAP CRM and SAP S/4HANA (Interaction Center) - CVSS 3.5

Note: 3561861 Title: Server-Side Request Forgery (SSRF) in SAP CRM and SAP S/4HANA (Interaction Center)

Product: SAP CRM and SAP S/4HANA (Interaction Center)

CVE: CVE-2025-27430 Priority: Low

Under certain conditions, an SSRF vulnerability in SAP CRM and SAP S/4HANA (Interaction Center) allows a low-privileged attacker to access restricted information.

Recommended remedial actions:

  • Implement the fix in accordance with SAP’s instructions

  • Remove the additional access token and apply an allow-list approach for SAM message target servers, preventing the collection of restricted information

Vulnerabilities in SAP JIT (Outbound) - CVSS 3.1

Note: 3347991 Title: Missing authorisation check in SAP JIT (Outbound)

Product: SAP JIT (Outbound)

CVE: CVE-2025-26655 Priority: Low

SAP Just In Time (JIT) does not perform the necessary authorisation checks for an authenticated user, allowing an attacker to escalate privileges that would otherwise be restricted, potentially causing a minor impact on the application’s integrity.

Recommended remedial actions:

  • Implement the fix in accordance with SAP’s instructions

  • Implement the required authorisation checks within the transactions

Vulnerabilities in SAP Electronic Invoicing for Brazil (eDocument Cockpit) - CVSS 2.4

Note: 3568865 Title: Missing authorisation check in SAP JIT (Outbound)

Product: SAP Electronic Invoicing for Brazil (eDocument Cockpit)

CVE: CVE-2025-27432 Priority: Low

The eDocument Cockpit (Inbound NF-e) in SAP Electronic Invoicing for Brazil allows an authenticated attacker with certain privileges to gain unauthorised access to any transaction.

Recommended remedial actions:

  • Implement the fix in accordance with SAP’s instructions

  • A permissions check for each transaction will be performed when the user opens an inbound delivery

Best practices for securing Spring Boot Actuator endpoints for applications running on BTP - CVSS 0.0

Note: 3576540 Title: Open Source Security Guide: Best practices for securing Spring Boot Actuator endpoints for applications running on BTP.

Product: BTP

CVE: N/A Priority: Low

Improperly secured Spring Boot Actuator endpoints in Java applications on BTP Cloud Foundry, Kyma, and Neo can lead to unauthorised access, data leakage, and RCE attacks. Proper safeguarding is required.

Conditions that must be met for an application to be exposed:

  • The application is implemented in Spring Boot.

  • The application uses the spring-boot-starter-actuator dependency.

  • Actuator endpoints are enabled in the application configuration (properties/yaml). Note: in default versions, only the “health” endpoint is enabled.

  • There is no authorisation or authentication for these endpoints.

  • The actuator endpoints are not adequately secured (e.g. no integration with a security configuration class).

It is recommended that the Java application developer verify these conditions.

SNOK - your partner in securing SAP systems

SNOK specialises in securing SAP systems and is well placed to assist with the implementation of SAP’s recommendations. Our experience in SAP cybersecurity allows us to effectively identify, analyse, and remediate vulnerabilities, ensuring the security of your critical business systems.

If you need support implementing SAP security patches or a comprehensive security analysis of your SAP environment, get in touch with our team of experts, who will help secure your systems against the latest threats.

Tematy: Safe Tuesday SAP security SecurityBridge SAP S/4HANA SAP BTP

Get in touch