SAP Security Patch Day – March 2025
Chapters
Share Article
The third SAP Security Patch Day of the year has arrived! At this rate, we might as well call the first quarter ‘patch season’—just like last month, there are over 20 security notes to review, marking a significant increase from previous months. It’s always fascinating to analyze the newly discovered vulnerabilities and security issues, along with the measures needed to mitigate these risks.
Many IT landscapes today are a blend of traditional SAP systems (such as ABAP and Java) alongside newer platforms and services like SAP BTP. This growing complexity makes patch management more challenging than ever—but no less critical. Every day, organizations face DDoS attacks, data breaches, and the crippling effects of ransomware. More often than not, unpatched systems are the weak link that attackers exploit.
That’s why our message remains the same: patch management isn’t optional—it’s essential!
At SecurityBridge, we recognize the complexities of patch management and its crucial role in maintaining a strong security posture. Our SecurityBridge Patch Management solution provides clear visibility into missing patches across your SAP landscape, while also assessing the potential impact of updates before deployment. With a comprehensive, system-wide overview, this solution is an essential tool for strengthening your SAP security and ensuring proactive protection against emerging threats.
Security notes - March 2025
Like last month, the number of released notes is somewhat higher: 21 new notes in total and 4 updates to existing notes.
See below for the highlights and the end of this post for a complete overview.
High priority
There are no security notes with the highest priority ‘HotNews’. So, we start with the ones that have priority ‘High’.
SAP Commerce is again affected by some found vulnerabilities as we have seen last months a few times already. This is often caused by vulnerabilities in underlying libraries and this time is no different. Note 3569602 describes how a vulnerable version of swagger-ui is packaged and needs updating of the SAP Commerce Cloud component. Note 3566851 addresses a similar issue but here it is the packaged Apache Tomcat version that is vulnerable. These examples clearly demonstrate how vulnerabilities in base packages trickle down to other software components that rely on these.
The 3 other notes with priority ‘High’ are quite straight forward. Note 3563927 describes a missing authorization check that needs fixing. Note 3567974 and 3483344 have minor updates in the correction instructions or description.
Medium and low priority
We see a large number of vulnerabilities in this category, mainly Cross-Site Scripting (XSS) vulnerabilities and missing authorization checks, among others. The majority simply needs patching of the component involved, we will not go further into these. Some interesting points below:
Note 3558132 describes an information disclosure vulnerability for SAP Web Dispatcher and ICM components. Keep in mind that this requires either a standalone or embedded Web Dispatcher and that the patching process is different.
Note 3562415 is another example of packaged libraries that contain vulnerabilities although with a lower priority (Low). Note that this concerns both SAP Commerce Cloud and SAP Datahub.
Note 3576540 is not a security note to fix a certain vulnerability but describes best practices to follow for Java applications that are implemented with the Spring Framework and run on BTP Cloud Foundry, KYMA or NEO environments. More specifically, it describes how to prevent sensitive endpoints to be accessible that are normally used for debugging purposes. These are very valuable considerations for any landscape to verify where Java applications are deployed. We look forward to more notes like these where concrete security measures are described!
SecurityBridge findings
At SecurityBridge we do not only deliver a complete SAP Security solution for our customers. We also conduct research on several SAP Security topics. From this, we regularly discover vulnerabilities ourselves which we address in close cooperation with SAP. This month, we are proud to note that 2 vulnerabilities come directly from these research efforts: note 3557131 and 3568865. Credits to Joris van de Vis, our own Director Security Research!
SAP Security Notes March 2025
Highlights
A larger number of notes than normal without 'HotNews' notes.
Summary by Severity
The March release contains a total of 25 patches for the following severities:
| Severity | Number | Hot News | 0 |
|---|---|
High | 5 |
Medium | 15 |
Low | 4 |
| Note | Description | Severity | CVSS |
|---|---|---|---|
| 3569602 | [CVE-2025-27434] Cross-Site Scripting (XSS) vulnerability in SAP Commerce (Swagger UI) Priority: Correction with high priority Released on: 11.03.2025 Components: CEC-SCC-COM-BC-BCOM Category: Program error | High | 8.8 |
| 3563927 | [CVE-2025-26661] Missing Authorization check in SAP NetWeaver (ABAP Class Builder) Priority: Correction with high priority Released on: 11.03.2025 Components: BC-DWB-TOO-CLA Category: Program error | High | 8.8 |
| 3566851 | [CVE-2024-38286] Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud Priority: Correction with high priority Released on: 11.03.2025 Components: CEC-SCC-COM-BBA-COM Category: Program error | High | 8.6 |
| 3567974 | [CVE-2025-24876] Authentication bypass via authorization code injection in SAP Approuter Priority: Correction with high priority Released on: 11.02.2025 Components: BC-XS-APR Category: Program error | High | 8.1 |
| 3483344 | [CVE-2024-39592] Missing Authorization check in SAP PDCE Priority: Correction with high priority Released on: 09.07.2024 Components: FIN-BA Category: Program error | High | 7.7 |
| 3561045 | [CVE-2025-26658] Broken Authentication in SAP Business One (Service Layer) Priority: Correction with medium priority Released on: 11.03.2025 Components: SBO-CRO-SEC Category: Program error | Medium | 6.8 |
| 3552824 | [CVE-2025-26659] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML) Priority: Correction with medium priority Released on: 11.03.2025 Components: BC-FES-WGU Category: Program error | Medium | 6.1 |
| 3562390 | [CVE-2025-25242] Cross-Site Scripting (XSS) in SAP NetWeaver Application Server ABAP Priority: Correction with medium priority Released on: 11.03.2025 Components: BC-FES-WGU Category: Program error | Medium | 6.1 |
| 3552144 | [CVE-2025-25244] Missing Authorization Check in SAP Business Warehouse (Process Chains) Priority: Correction with medium priority Released on: 11.03.2025 Components: BW-WHM-DST-PC Category: Program error | Medium | 5.7 |
| 3567246 | [CVE-2025-27431] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server Java Priority: Correction with medium priority Released on: 11.03.2025 Components: BC-WD-UR Category: Program error | Medium | 5.4 |
| 3557469 | [CVE-2025-25245] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence) Priority: Correction with medium priority Released on: 11.03.2025 Components: BI-RA-WBI-FE-HTM Category: Program error | Medium | 5.4 |
| 3561792 | [CVE-2025-23194] Missing Authentication check in SAP NetWeaver Enterprise Portal (OBN component) Priority: Correction with medium priority Released on: 11.03.2025 Components: EP-PIN-OBN Category: Program error | Medium | 5.3 |
| 3558132 | [CVE-2025-0071] Information Disclosure vulnerability in SAP Web Dispatcher and Internet Communication Manager Priority: Correction with medium priority Released on: 11.03.2025 Components: BC-CST-IC Category: Program error | Medium | 4.9 |
| 3557459 | [CVE-2025-0062] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence) Priority: Correction with medium priority Released on: 11.03.2025 Components: BI-RA-WBI-FE-HTM Category: Program error | Medium | 4.7 |
| 3565835 | [CVE-2025-27433] Broken Access Control vulnerabilities in SAP S/4HANA (Manage Bank Statements) Priority: Correction with medium priority Released on: 11.03.2025 Components: FI-FIO-AR-PAY Category: Program error | Medium | 4.3 |
| 3474392 | [CVE-2025-26656] Missing Authorization check in S/4HANA (Manage Purchasing Info Records) Priority: Correction with medium priority Released on: 11.03.2025 Components: MM-FIO-PUR-IR Category: Program error | Medium | 4.3 |
| 3557655 | [CVE-2025-26660] Broken Access Control in SAP Fiori apps (Posting Library) Priority: Correction with medium priority Released on: 11.03.2025 Components: FI-FIO-GL-TRA Category: Program error | Medium | 4.3 |
| 3557131 | [CVE-2025-23188] Missing Authorization check in SAP S/4HANA (RBD) Priority: Correction with medium priority Released on: 11.03.2025 Components: FS-RBD Category: Program error | Medium | 4.3 |
| 3475427 | [CVE-2024-41736] Information Disclosure vulnerability in SAP Permit to Work Priority: Correction with medium priority Released on: 13.08.2024 Components: PM-FIO-WCM Category: Program error | Medium | 4.3 |
| 3549494 | [CVE-2025-23185] Information Disclosure in SAP Business Objects Business Intelligence Platform Priority: Correction with medium priority Released on: 11.03.2025 Components: BI-BIP-LCM Category: Program error | Medium | 4.1 |
| 3562415 | [CVE-2024-38819] Multiple vulnerabilities in Spring Framework within SAP Commerce Cloud and SAP Datahub Priority: Correction with low priority Released on: 11.03.2025 Components: CEC-SCC-PLA-PL Category: Program error | Low | 3.7 |
| 3561861 | [CVE-2025-27430] Server Side Request Forgery (SSRF) in SAP CRM and SAP S/4 HANA (Interaction Center) Priority: Correction with low priority Released on: 11.03.2025 Components: CRM-IC-BF Category: Program error | Low | 3.5 |
| 3347991 | [CVE-2025-26655] Missing Authorization check in SAP JIT(Outbound) Priority: Correction with low priority Released on: 24.02.2025 Components: IS-A-JIT Category: Program error | Low | 3.1 |
| 3568865 | [CVE-2025-27432] Missing Authorization check in SAP Electronic Invoicing for Brazil (eDocument Cockpit) Priority: Correction with low priority Released on: 11.03.2025 Components: CA-GTF-CSC-EDO Category: Program error | Low | 2.4 |
| 3576540 | Open Source Security Advisory: Best Practices for Securing Spring Boot Actuator Endpoints for applications running on BTP Priority: Correction with low priority Released on: 11.03.2025 Components: BC-CP-CF-CRTM Category: Program error | Unknown | 0.0 |
