SAP Security Patch Day – August 2025
Chapters
Share Article
Let's Talk SAP Security
Have questions about SAP Security? We’re here to help. Contact Us
As the summer holiday season unfolds, many people are taking a well-deserved break, but SAP security threats never take a time off. This month’s SAP Security Patch Day, SAP has issued 25 Security Notes (including updates and interim releases), continuing the recent trend of high patch volumes. This highlights the critical importance of SAP security and underscores the need for robust patch management practices.
Yet, for most SAP landscapes, applying patches is anything but straightforward. Complex system architectures, intertwined dependencies, and diverse components make the process both time-consuming and prone to mistakes. Missing a crucial update can happen all too easily, and the consequences can be serious.
At SecurityBridge, we understand these challenges like no other. That’s why our SecurityBridge Patch Management solution is designed to tackle them directly. It detects missing patches across your entire SAP environment, delivering comprehensive visibility, detailed impact analysis, and automated deployment capabilities. With a centralized system overview, it streamlines patching, reduces implementation times, and fortifies your SAP landscape against both current and emerging threats.
Security notes - August 2025
In this monthly cycle, 15 new notes have been released, 10 notes have been updated, or have been released earlier after the July patch cycle. Below, you’ll find the key highlights grouped by priority. For a full breakdown, scroll to the end of this post.
SecurityBridge Findings!
At SecurityBridge, we don’t just provide a comprehensive SAP security platform — we’re also deeply invested in ongoing research within the SAP security domain. This continuous commitment often leads to the discovery of new vulnerabilities, which we responsibly disclose and resolve in close collaboration with SAP.
For this month’s release, we’re proud to share our latest discoveries:
- HotNews: note 3633838 [CVE-2025-42950] Code Injection Vulnerability in SAP Landscape Transformation (Analysis Platform)
- HotNews: note 3627998 [CVE-2025-42957] Code Injection vulnerability in SAP S/4HANA (Private Cloud or On-Premise)
- High Priority: note 3614804 [CVE-2025-42946] Directory Traversal vulnerability in SAP S/4HANA (Bank Communication Management)
HotNews – SAP Landscape Transformation (SLT)
We see 4 HotNews mentioned this month. The first 2 notes (3633838 and 3627998) both have a CVSS score of 9.9. This is no coincidence: they both address the same issue, but for 2 different software components:
- DMIS: the data migration add-on that is required on certain ABAP systems to enable SLT.
- S4CORE: the core S/4 HANA component that has the required functionality already built in.
So, what is the vulnerability about? Not much detail to share right now, but the issue is that a function module can be exploited to gain full compromise of the system… There is no workaround; the solution is simple: patch! As confirmed by the accompanying FAQ notes (3638514 and 3630291), there is no downtime required and no impact for implementing the patch. So, the solution is simple: if you have the DMIS add-on installed or use S/4 HANA private cloud or on-premise, patch!
The other 2 HotNews notes are old acquaintances:
- Note 3581961: Additional support packages have been released for older versions than before. Check if these are applicable for your version.
- Note 3610892: A workaround has been provided by SAP that was not known before. See FAQ note 3628361 for the details, should you want to apply the workaround first.
High priority notes
Next up are the ‘High’ priority notes. While not as critical as the ‘HotNews’ items, these still describe serious security vulnerabilities — and should not be taken lightly. Only 2 notes have been newly released in this category:
- Note 3625403: This concerns SAP Business One, where a normal user can gain administrative privileges using an API.
- Note 3611184: Multiple vulnerabilities that can be exploited using the BIC service. Deactivating the SICF service /sap/BIC is a workaround. Patching is better (as with all workarounds…).
Medium and Low-priority notes
19 notes fall in the ‘Medium’ or ‘Low’ category. Also, here, the majority is about simply applying the fixes. Some highlights:
- Note 3596987: Manual activity has been updated with the correct name of the transaction to be removed. Make sure to double-check.
- Note 3561792: The corrections have been downported to lower versions. Make sure to double-check.
- Note 3627845: This concerns a vulnerability in the SAP GUI for Windows. A component that is easily overlooked in patch management! Besides patching, also consider the recommendation to implement allowlisting UNC paths.
- Note 3601480: Besides patching, check the use of LOGFORMAT to see the extent of how vulnerable your systems are.
- Note 3611345: This concerns a vulnerability in the SAP Cloud Connector. Again: a component that is easily overlooked. Make sure to include the cloud connector installations in the landscape.
SAP Security Notes August 2025
Highlights
A relatively high number of patches with the majority having 'medium' priority
Summary by Severity
The August release contains a total of 25 patches for the following severities:
| Severity | Number | Hot News | 4 |
|---|---|
High | 2 |
Medium | 16 |
Low | 3 |
| Note | Description | Severity | CVSS |
|---|---|---|---|
| 3627998 | [CVE-2025-42957] Code Injection vulnerability in SAP S/4HANA (Private Cloud or On-Premise) Priority: HotNews Released on: 12.08.2025 Components: CA-DT-ANA Category: Program error | Hot News | 9.9 |
| 3633838 | [CVE-2025-42950] Code Injection Vulnerability in SAP Landscape Transformation (Analysis Platform) Priority: HotNews Released on: 12.08.2025 Components: CA-LT-ANA Category: Program error | Hot News | 9.9 |
| 3581961 | [CVE-2025-27429] Code Injection Vulnerability in SAP S/4HANA (Private Cloud or On-Premise) Priority: HotNews Released on: 08.04.2025 Components: CA-LT-ANA Category: Program error | Hot News | 9.9 |
| 3610892 | [CVE-2025-42966] Insecure Deserialization vulnerability in SAP NetWeaver (XML Data Archiving Service) Priority: HotNews Released on: 08.07.2025 Components: BC-ILM-DAS Category: Program error | Hot News | 9.1 |
| 3625403 | [CVE-2025-42951] Broken Authorization in SAP Business One (SLD) Priority: Correction with high priority Released on: 12.08.2025 Components: SBO-BC-SLD Category: Program error | High | 8.8 |
| 3611184 | [CVE-2025-42976] Multiple vulnerabilities in SAP NetWeaver Application Server ABAP (BIC Document) Priority: Correction with high priority Released on: 12.08.2025 Components: FIN-SEM-CPM Category: Program error | High | 8.1 |
| 3614804 | [CVE-2025-42946] Directory Traversal vulnerability in SAP S/4HANA (Bank Communication Management) Priority: Correction with medium priority Released on: 12.08.2025 Components: FIN-FSCM-BNK Category: Program error | Medium | 6.9 |
| 3629871 | [CVE-2025-42948] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver ABAP Platform Priority: Correction with medium priority Released on: 12.08.2025 Components: CRM-BF-ML Category: Program error | Medium | 6.1 |
| 3585491 | [CVE-2025-42945] HTML Injection vulnerability in SAP NetWeaver Application Server ABAP Priority: Correction with medium priority Released on: 12.08.2025 Components: BC-FES-WGU Category: Program error | Medium | 6.1 |
| 3596987 | [CVE-2025-42969] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform Priority: Correction with medium priority Released on: 08.07.2025 Components: BC-MID-AC Category: Program error | Medium | 6.1 |
| 3617131 | [CVE-2025-42981] Multiple vulnerabilities in SAP NetWeaver Application Server ABAP Priority: Correction with medium priority Released on: 08.07.2025 Components: BC-FES-ITS Category: Program error | Medium | 6.1 |
| 3597355 | [CVE-2025-42942] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server for ABAP Priority: Correction with medium priority Released on: 12.08.2025 Components: BC-MID-ICF Category: Program error | Medium | 6.1 |
| 3503138 | [CVE-2025-0059] Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML) Priority: Correction with medium priority Released on: 14.01.2025 Components: BC-FES-WGU Category: Program error | Medium | 6.0 |
| 3585992 | [CVE-2025-43008] Missing Authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal Priority: Correction with medium priority Released on: 13.05.2025 Components: PY-PT Category: Program error | Medium | 5.8 |
| 3540688 | [CVE-2025-42947] Code Injection vulnerability in SAP FICA ODN framework Priority: Correction with medium priority Released on: 22.07.2025 Components: FI-LOC-CA-XX Category: Program error | Medium | 5.5 |
| 3602656 | [CVE-2025-42936] Missing Authorization check in SAP NetWeaver Application Server for ABAP Priority: Correction with medium priority Released on: 12.08.2025 Components: BC-SRV-ARL-INT Category: Program error | Medium | 5.4 |
| 3561792 | [CVE-2025-23194] Missing Authentication check in SAP NetWeaver Enterprise Portal (OBN component) Priority: Correction with medium priority Released on: 11.03.2025 Components: EP-PIN-OBN Category: Program error | Medium | 5.3 |
| 3626722 | [CVE-2025-42949] Missing Authorization check in ABAP Platform Priority: Correction with medium priority Released on: 12.08.2025 Components: BC-DWB-UTL-BRR Category: Program error | Medium | 4.9 |
| 3627845 | [CVE-2025-42943] Information Disclosure in SAP GUI for Windows Priority: Correction with medium priority Released on: 12.08.2025 Components: BC-FES-GUI Category: Program error | Medium | 4.5 |
| 3577131 | [CVE-2025-31331] Authorization Bypass vulnerability in SAP NetWeaver Priority: Correction with medium priority Released on: 08.04.2025 Components: CA-GTF-TS-GMA Category: Program error | Medium | 4.3 |
| 3616863 | [CVE-2025-42934] CRLF Injection vulnerability in SAP S/4HANA (Supplier invoice) Priority: Correction with medium priority Released on: 12.08.2025 Components: CA-DMS Category: Program error | Medium | 4.3 |
| 3601480 | [CVE-2025-42935] Information Disclosure vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform(Internet Communication Manager) Priority: Correction with medium priority Released on: 12.08.2025 Components: BC-CST-IC Category: Program error | Medium | 4.1 |
| 3611345 | [CVE-2025-42955] Missing authorization check in SAP Cloud Connector Priority: Correction with low priority Released on: 12.08.2025 Components: BC-MID-SCC Category: Program error | Low | 3.5 |
| 3624943 | [CVE-2025-42941] Reverse Tabnabbing vulnerability in SAP Fiori (Launchpad) Priority: Correction with low priority Released on: 12.08.2025 Components: CA-FLP-FE-COR Category: Program error | Low | 3.5 |
| 3557179 | [CVE-2025-42978] Insufficiently Secure Hostname Verification for Outbound TLS Connections in SAP NetWeaver Application Server Java Priority: Correction with low priority Released on: 08.07.2025 Components: BC-JAS-SEC Category: Program error | Low | 3.5 |
