Skip to content

Safe Tuesday with SNOK – SAP Security Patch Day (April 2025)

📅 On 8 April, SAP published a new security patch package. Among a total of 20 security notes (18 new and 2 updated), there are as many as 3 critical…

📅 On 8 April, SAP published a new security patch package. Among a total of 20 security notes (18 new and 2 updated), there are as many as 3 critical vulnerabilities requiring immediate action.

Below is an overview of the most important threats along with the full list of published updates:

Critical vulnerabilities

1️⃣ [CVE-2025-27429] - Code Injection in SAP S/4HANA (Private Cloud)

SAP Note: 3581961 CVSS: 9.9 / 10 Component: CA-LT-ANA

SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in a function module accessible via RFC. The flaw enables injection of arbitrary ABAP code, bypassing key authorisation mechanisms. As a result, full system takeover may occur, compromising confidentiality, integrity, and availability of data. 🔧 No workaround available - implementing the fixes from the SAP Note is required.

2️⃣ [CVE-2025-31330] - Code Injection in SAP LT Analysis (RFC)

SAP Note: 3587115 (per SecurityBridge) CVSS: 9.9 / 10 Component: CA-LT-ANA

The vulnerability allows a remote user to execute arbitrary code in the SAP LT Analysis system via an insufficiently protected RFC interface. 🔧 No workaround available - implementing the fixes from the SAP Note is required.

3️⃣ [CVE-2025-30016] - Authentication Bypass in SAP Financial Consolidation

SAP Note: 3572688 CVSS: 9.8 / 10 Component: EPM-BFC-TCL-ADM-SEC

SAP Financial Consolidation allows an attacker with no privileges whatsoever to log in as an administrator. The cause is an insufficiently hardened authentication mechanism that allows security controls to be bypassed. The vulnerability has a critical impact on confidentiality, integrity, and availability of the application. 🔧 No workaround available - SAP has provided fixes by implementing the corrections from the note up to version 10.1 SP009 and SP010.

Other fixes from the April SAP Security Patch Day:

🟥 High priority:

  • 8.8 - High - 3525794 - [CVE-2025-0064] Improper Authorization in SAP BusinessObjects Business Intelligence platform

  • 8.5 - High - 3554667 - [CVE-2025-23186] Mixed Dynamic RFC Destination vulnerability through Remote Function Call (RFC) in SAP NetWeaver Application Server ABAP

  • 8.1 - High - 3590984 - [CVE-2024-56337] Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat within SAP Commerce Cloud

  • 7.7 - High - 2927164 - [CVE-2025-30014] Directory Traversal vulnerability in SAP Capital Yield Tax Management

  • 7.7 - High - 3581811 - [CVE-2025-27428] Directory Traversal vulnerability in SAP NetWeaver and ABAP Platform (Service Data Collection)

🟨 Medium and low priority:

  • 6.8 - Medium - 3543274 - [CVE-2025-26654] Potential information disclosure vulnerability in SAP Commerce Cloud (Public Cloud)

  • 6.7 - Medium - 3571093 - [CVE-2025-30013] Code Injection vulnerability in SAP ERP BW Business Content

  • 6.6 - Medium - 3565751 - [CVE-2025-31332] Insecure File permissions vulnerability in SAP BusinessObjects Business Intelligence Platform

  • 5.3 - Medium - 3568307 - [CVE-2025-26657] Information Disclosure vulnerability in SAP KMC WPC

  • 4.7 - Medium - 3559307 - [CVE-2025-26653] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)

  • 4.4 - Medium - 3558864 - [CVE-2025-30017] Missing Authorization check in SAP Solution Manager

  • 4.3 - Medium - 3525971 - [CVE-2025-31333] Odata meta-data tampering in SAP S4CORE entity

  • 4.3 - Medium - 3568778 - [CVE-2025-27437] Missing Authorization check in SAP NetWeaver Application Server ABAP (Virus Scan Interface)

  • 4.3 - Medium - 3577131 - [CVE-2025-31331] Authorization Bypass vulnerability in SAP NetWeaver

  • 4.2 - Medium - 3539465 - [CVE-2025-27435] Information Disclosure Vulnerability in SAP Commerce Cloud

  • 4.1 - Medium - 3565944 - [CVE-2025-30015] Memory Corruption vulnerability in SAP NetWeaver and ABAP Platform (Application Server ABAP)

  • 3.5 - Low - 3561861 - [CVE-2025-27430] Server Side Request Forgery (SSRF) in SAP CRM and SAP S/4 HANA (Interaction Center)

Amid growing threats, rapid response to critical security vulnerabilities is a key element of a data protection strategy. Thanks to the knowledge and experience of SNOK consultants, organisations can not only respond to identified threats, but also proactively eliminate them, minimising risk and ensuring the security of their systems. Their role in monitoring, analysing, and responding to evolving threats is invaluable, and their actions have a direct impact on the stability and reputation of the organisation.

Source: SAP Security Patch Day - April 2025

Tematy: Safe Tuesday sap-security SecurityBridge SAP S/4HANA SAP BTP

Get in touch