SAP Security Patch Day – April 2025
Chapters
Share Article
Let's Talk SAP Security
Have questions about SAP Security? We’re here to help. Contact Us
On this fourth SAP Security Patch Day of the year, we welcome 20 new / updated security notes to review! As always, we will dive into the highlights to give additional information to handle these patches properly. As we keep repeating every month: patching is of the utmost importance to keep IT systems safe. It is the number 1 action to take to prevent breaches or attacks that we hear of almost every single day. The impact of an average data breach is enormous in terms of cost, reputation damage, and much more. While all you have to do is to ‘simply’ patch…
However, in a typical SAP environment, patching is not as straightforward as one might think. Because of the complex nature and various components in the landscape, patching is often a tedious, time-consuming process, where applicable patches can be easily missed. At SecurityBridge, we understand the difficulties of patch management in the SAP landscape like no other. Our SecurityBridge Patch Management solution greatly helps to identify missing patches in your SAP landscape, providing clear visibility, impact analysis, and automated implementation. With a system-wide overview, the solution drastically shortens the time to implement missing patches and safeguards your SAP landscape against emerging threats.
Security notes - April 2025
As said, there are 20 security notes in this month’s release. 17 new notes and 3 updates to existing notes.
See below for the highlights per priority and the end of this post for a complete overview.
HotNews
The ‘HotNews’ security notes have the highest priority, so let’s look at these first. In previous months, there weren’t any ‘HotNews’ security notes but now there are 3:
Attention for customers that use SAP Landscape Transformation and have installed the DMIS add-on! Without applying the patch from note 3587115, arbitrary ABAP code can be injected into the system which means the system can be completely compromised! No wonder this has CVSS 9.9… It is essential to identify all systems that have the DMIS add-on installed and apply the patch asap. There is no workaround. One up-side is that besides the implementation of the note, there is no further action needed, like restarts, etc. See FAQ note 3588720 for further information. Note that SAP Landscape Transformation can be setup in different scenarios so the add-on can be present on standalone and on source systems.
Next is a similar issue, described in note 3581961 but here it concerns the S/4HANA core component! Again, this is about arbitrary ABAP code injection with the same potential impact: a full system compromise! And again, this is a CVSS 9.9 score. Make sure to implement this note asap on all relevant S/4HANA systems: there is no workaround.
For customers who use the SBOP Financial Consolidation solution, it is essential to apply the patch as described in note 3572688. The system can be seriously compromised, and details are limited but apparently, this concerns some hard-coded authentication details (username/password/key). This kind of coding is an absolute no-go as this note clearly demonstrates…
High priority
The next stop is the ‘High’ priority notes. These may be a bit lower in priority, but still describe serious security issues.
Note 3554667 describes a vulnerability where a Remote Function Call (RFC) can be crafted to potentially retrieve stored credentials. Depending on the credentials found, this could fully compromise the related service. The solution is to apply a kernel patch but a workaround is available via (dynamically switchable!) parameter rfc/dynamic_dest_api_only. A rather unknown parameter that controls the behavior of dynamic destinations via API class CL_DYNAMIC_DESTINATION. This CAN be used but thorough testing is required. It is advised though to apply the kernel patch.
Several security notes do not concern ‘direct’ vulnerabilities in code or components from SAP but libraries or other 3rd software used. Note 3590984 is again such an example for SAP Commerce Cloud. The SAP software itself is claimed to have no vulnerability in this respect but the used Apache Tomcat version does. Good to know that the default setup should not be vulnerable but patching is required!
Medium and low-priority
Going further we find a series of notes with priority ‘medium’ and one with priority ‘low’. These mainly concern the plain implementation of the software patch or are about minor (textual) changes. Let this not be a reason to take these notes lightly. Careful assessment remains necessary!
SecurityBridge findings
At SecurityBridge we do not only deliver a complete SAP Security solution for our customers. We also research several SAP Security topics. From this, we regularly discover vulnerabilities ourselves which we address in close cooperation with SAP. Like last month, we are proud to again note that 2 vulnerabilities come directly from these research efforts: note 3577131 and 3571093.
SAP Security Notes April 2025
Highlights
Three HotNews notes that require immediate attention.
Summary by Severity
The April release contains a total of 20 patches for the following severities:
| Severity | Number | Hot News | 3 |
|---|---|
High | 5 |
Medium | 11 |
Low | 1 |
| Note | Description | Severity | CVSS |
|---|---|---|---|
| 3581961 | [CVE-2025-27429] Code Injection Vulnerability in SAP S/4HANA (Private Cloud) Priority: HotNews Released on: 08.04.2025 Components: CA-LT-ANA Category: Program error | Hot News | 9.9 |
| 3587115 | [CVE-2025-31330] Code Injection Vulnerability in SAP Landscape Transformation (Analysis Platform) Priority: HotNews Released on: 08.04.2025 Components: CA-LT-ANA Category: Program error | Hot News | 9.9 |
| 3572688 | [CVE-2025-30016] Authentication Bypass Vulnerability in SAP Financial Consolidation Priority: HotNews Released on: 08.04.2025 Components: EPM-BFC-TCL-ADM-SEC Category: Program error | Hot News | 9.8 |
| 3525794 | [CVE-2025-0064] Improper Authorization in SAP BusinessObjects Business Intelligence platform Priority: Correction with high priority Released on: 11.02.2025 Components: BI-BIP-AUT Category: Program error | High | 8.8 |
| 3554667 | [CVE-2025-23186] Mixed Dynamic RFC Destination vulnerability through Remote Function Call (RFC) in SAP NetWeaver Application Server ABAP Priority: Correction with high priority Released on: 08.04.2025 Components: BC-MID-RFC Category: Program error | High | 8.5 |
| 3590984 | [CVE-2024-56337] Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat within SAP Commerce Cloud Priority: Correction with high priority Released on: 08.04.2025 Components: CEC-SCC-CDM-CKP-COR Category: Program error | High | 8.1 |
| 3581811 | [CVE-2025-27428] Directory Traversal vulnerability in SAP NetWeaver and ABAP Platform (Service Data Collection) Priority: Correction with high priority Released on: 08.04.2025 Components: SV-SMG-SDD Category: Program error | High | 7.7 |
| 2927164 | [CVE-2025-30014] Directory Traversal vulnerability in SAP Capital Yield Tax Management Priority: Correction with high priority Released on: 08.04.2025 Components: FS-CYT Category: Program error | High | 7.7 |
| 3543274 | [CVE-2025-26654] Potential information disclosure vulnerability in SAP Commerce Cloud (Public Cloud) Priority: Correction with medium priority Released on: 08.04.2025 Components: CEC-SCC-CLA-ENV-NWC Category: Program error | Medium | 6.8 |
| 3571093 | [CVE-2025-30013] Code Injection vulnerability in SAP ERP BW Business Content Priority: Correction with medium priority Released on: 08.04.2025 Components: BW-BCT-WEB Category: Program error | Medium | 6.7 |
| 3565751 | [CVE-2025-31332] Insecure File permissions vulnerability in SAP BusinessObjects Business Intelligence Platform Priority: Correction with medium priority Released on: 08.04.2025 Components: BI-BIP-INS Category: Program error | Medium | 6.6 |
| 3568307 | [CVE-2025-26657] Information Disclosure vulnerability in SAP KMC WPC Priority: Correction with medium priority Released on: 08.04.2025 Components: EP-KM-CM Category: Program error | Medium | 5.3 |
| 3559307 | [CVE-2025-26653] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML) Priority: Correction with medium priority Released on: 08.04.2025 Components: BC-FES-WGU Category: Program error | Medium | 4.7 |
| 3558864 | [CVE-2025-30017] Missing Authorization check in SAP Solution Manager Priority: Correction with medium priority Released on: 08.04.2025 Components: SV-SMG-IMP Category: Program error | Medium | 4.4 |
| 3525971 | [CVE-2025-31333] Odata meta-data tampering in SAP S4CORE entity Priority: Correction with medium priority Released on: 10.10.2024 Components: PP-PI-MD-PRV Category: Program error | Medium | 4.3 |
| 3577131 | [CVE-2025-31331] Authorization Bypass vulnerability in SAP NetWeaver Priority: Correction with medium priority Released on: 08.04.2025 Components: CA-GTF-TS-GMA Category: Program error | Medium | 4.3 |
| 3568778 | [CVE-2025-27437] Missing Authorization check in SAP NetWeaver Application Server ABAP (Virus Scan Interface) Priority: Correction with medium priority Released on: 08.04.2025 Components: BC-SEC-VIR Category: Program error | Medium | 4.3 |
| 3539465 | [CVE-2025-27435] Information Disclosure Vulnerability in SAP Commerce Cloud Priority: Correction with medium priority Released on: 08.04.2025 Components: CEC-SCC-COM-PRO-CUC Category: Program error | Medium | 4.2 |
| 3565944 | [CVE-2025-30015] Memory Corruption vulnerability in SAP NetWeaver and ABAP Platform (Application Server ABAP) Priority: Correction with medium priority Released on: 08.04.2025 Components: BC-DB-DBI Category: Program error | Medium | 4.1 |
| 3561861 | [CVE-2025-27430] Server Side Request Forgery (SSRF) in SAP CRM and SAP S/4 HANA (Interaction Center) Priority: Correction with low priority Released on: 11.03.2025 Components: CRM-IC-BF Category: Program error | Low | 3.5 |
