10 June 2025 - Another SAP Security Patch Day is behind us! In today’s edition of “Safe Tuesday with SNOK” we analyse 14 new security notes published by SAP in June 2025. This time the patch package focuses on key SAP NetWeaver and S/4HANA components, with one critical vulnerability requiring immediate attention.
What is SAP Security Patch Day?
SAP Security Patch Day is SAP’s monthly release of security notes and patches. It always takes place on the second Tuesday of the month - this time on 10 June 2025. It is a key element of the SAP systems security maintenance cycle, allowing organisations to systematically secure their environments against newly identified vulnerabilities.
Regular implementation of these patches is absolutely essential for maintaining the security of SAP infrastructure - much as regular vaccinations protect against disease, security patches protect systems against increasingly sophisticated attacks.
The most serious threats from June 2025
In the June patch package, SAP published 14 new security notes, several of which deserve particular attention due to their high CVSS (Common Vulnerability Scoring System) score and potential business impact:
🚨 1. Missing authorisation check in SAP NetWeaver ABAP (CVE-2025-42989)
CVSS: 9.6 | Priority: CRITICAL
This highest-priority vulnerability affects SAP NetWeaver Application Server for ABAP in versions KERNEL 7.89, 7.93, 9.14, 9.15. With a CVSS score of 9.6, it poses a serious threat to the integrity and security of ABAP systems.
🔓 2. Information disclosure in SAP GRC (CVE-2025-42982)
CVSS: 8.8 | Priority: HIGH
A vulnerability in the AC Plugin component of SAP GRC (versions GRCPINW V1100_700, V1100_731) can lead to unauthorised access to sensitive compliance and audit data.
📊 3. Missing authorisation check in SAP Business Warehouse (CVE-2025-42983)
CVSS: 8.5 | Priority: HIGH
A wide-ranging vulnerability affecting SAP Business Warehouse and SAP Plug-In Basis across numerous versions (PI_BASIS 2006_1_700 to 740, SAP_BW 750-758, 914, 915). It may enable unauthorised access to warehouse data.
🌐 4. Cross-Site Scripting in SAP BusinessObjects (CVE-2025-23192)
CVSS: 8.2 | Priority: HIGH
An XSS vulnerability in the BI Workspace component can be exploited to carry out attacks against users of BusinessObjects in versions ENTERPRISE 430, 2025, 2027.
🔄 5. Directory Traversal in SAP NetWeaver Visual Composer (CVE-2025-42977)
CVSS: 7.6 | Priority: HIGH
Following the critical Visual Composer issues in May, June brought another vulnerability in this component (VCBASE 7.50) - this time related to unauthorised access to system files.
Full list of security notes from June 2025
Note# Title Priority CVSS
3600840 [CVE-2025-42989] Missing Authorization check in SAP NetWeaver Application Server for ABAP Product - SAP NetWeaver Application Server for ABAP Versions - KERNEL 7.89, 7.93, 9.14, 9.15 Critical 9.6
3609271 [CVE-2025-42982] Information Disclosure in SAP GRC (AC Plugin) Product - SAP GRC (AC Plugin) Versions - GRCPINW V1100_700, V1100_731 High 8.8
[CVE-2025-42983] Missing Authorization check in SAP Business Warehouse and SAP Plug-In Basis
Product - SAP Business Warehouse and SAP Plug-In BasisVersions - PI_BASIS 2006_1_700, 701, 702, 731, 740, SAP_BW 750, 751, 752, 753, 754, 755, 756, 757, 758, 914, 915
High 8.5
3560693 [CVE-2025-23192] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence (BI Workspace) Product - SAP BusinessObjects Business Intelligence (BI Workspace) Versions - ENTERPRISE 430, 2025, 2027 High 8.2
3610591 [CVE-2025-42977] Directory Traversal vulnerability in SAP NetWeaver Visual Composer Product - SAP NetWeaver Visual Composer Version - VCBASE 7.50 High 7.6
[CVE-2025-42994] Multiple vulnerabilities in SAP MDM Server
Related CVE - CVE-2025-42995, CVE-2025-42996 Product - SAP MDM Server Versions - MDM_SERVER 710.750
High 7.5
[CVE-2025-42993] Missing Authorization Check in SAP S/4HANA (Enterprise Event Enablement)
Product - SAP S/4HANA (Enterprise Event Enablement) Versions - SAP_GWFND 757, 758
Medium 6.7
[CVE-2025-31325] Cross-Site Scripting (XSS) Vulnerability in SAP NetWeaver (ABAP Keyword Documentation)
Product- SAP NetWeaver (ABAP Keyword Documentation)Version - SAP_BASIS 758
Medium 5.8
[CVE-2025-42984] Missing Authorization check in SAP S/4HANA (Manage Central Purchase Contract application)
Product - SAP S/4HANA (Manage Central Purchase Contract application) Versions - S4CORE 106, 107, 108
Medium 5.4
[CVE-2025-42998] Security misconfiguration vulnerability in SAP Business One Integration Framework
Product - SAP Business One Integration Framework Versions - B1_ON_HANA 10.0, SAP-M-BO 10.0
Medium 5.3
3596850 [CVE-2025-42987] Missing Authorization Check in SAP S/4HANA (Manage Processing Rules - For Bank Statement) Product - SAP S/4HANA (Manage Processing Rules - For Bank Statement) Versions - S4CORE 104, 105, 106, 107, 108 Medium 4.3
[CVE-2025-42991] Missing Authorization check in SAP S/4HANA (Bank Account Application)
Product- SAP S/4HANA (Bank Account Application) Version - S4CORE 108
Medium 4.3
3585545 [CVE-2025-42988] Server-Side Request Forgery in SAP Business Objects Business Intelligence Platform Product - SAP Business Objects Business Intelligence Platform Versions - ENTERPRISE 430, 2025, 2027 Low 3.7
3601169 [CVE-2025-42990] HTML Injection in Unprotected SAPUI5 applications Product - SAPUI5 applications Versions - SAP_UI 750, 754, 755, 756, 757, 758, UI_700 200 Low 3.0
Why rapid patch deployment is critical
In today’s digital world, threat actors act with speed. Often only a matter of hours passes between the publication of a vulnerability and the first exploitation attempts, not days or weeks. This is precisely why delaying the implementation of security patches is like leaving the door to your company’s vault open.
Need support? The SNOK team is ready to help!
The security of SAP systems is a complex matter requiring specialist expertise. The SNOK team of experts is ready to support your organisation in effectively implementing the June security patches, in order to minimise cyber risk - particularly given the approaching holiday season.
Summary
The June SAP Security Patch Day brought 14 new security fixes, with one critical vulnerability requiring immediate attention. CVE-2025-42989, with a CVSS score of 9.6, in NetWeaver ABAP KERNEL, is priority number one for every organisation running SAP systems.
Do not wait for cybercriminals to exploit vulnerabilities in your SAP system. Contact us today to discuss how we can help secure your critical business systems ahead of the holiday season.
This article is part of the “Safe Tuesday with SNOK” series - regular analyses of SAP system security. Follow our publications to stay up to date with the latest threats and protective measures.
📱 Stay up to date: Follow SNOK on LinkedIn to receive an alert for every new SAP Security Patch Day and practical SAP cybersecurity guidance.