SAP Security Patch Day – February 2025
Chapters
Share Article
Although it might seem like 2025 has only just begun for some, we’re already marking the second SAP Security Patch Day of the year. SAP has released a new set of security patches, and as usual, we’ll delve into the details and highlight the key updates. Every month brings news of data breaches, ransomware attacks, or other cyber threats that organizations must confront. Frequently, these incidents are linked to systems that haven’t been adequately patched. This only reinforces the critical message: patch management is not something to overlook. Keeping this task at the forefront of IT security is essential—there are too many examples of its importance to ignore it.
At SecurityBridge, we understand the challenges organizations face with patch management and the vital role it plays in maintaining robust security. Our SecurityBridge Patch Management solution offers clear insights into missing patches across your SAP landscape, even assessing the impact of specific patches before they are implemented. By providing a comprehensive, landscape-wide overview, this solution serves as an indispensable tool for enhancing the security of your SAP environment.
Security notes - February 2025
This month, we see a larger number of released notes than in previous months: 19 new notes in total and only 2 updates to existing notes. See below for the highlights and the end of this post for a complete overview.
High priority
No security notes this time with priority ‘HotNews’, so we start with some of the notes with ‘High’ Priority.
A year ago (Patch Tuesday 2024), SAP released note 3417627 that addressed a so-called ‘Cross Site Scripting vulnerability’ in the user admin application of SAP AS Java. The update to note 3417627 now declares that the solution is not sufficient, and note 3557138 is required to implement, which is also part of this month’s release.
Note 3525794 describes how an attacker can use a secret passphrase to impersonate any user on the SAP BusinessObjects BI platform. Apart from applying the patches, see note 3559381 for a secure implementation of the new Trusted Authentication method combined with CORBA SSL.
Note 3567974 shortly names a vulnerability in the so-called ‘SAP Approuter’, which is fixed in a new version. The ‘SAP Approuter’ is not a traditional SAP component and is likely not well-known by those responsible for patch management, like technical consultants. The SAP Approuter is a node.js module that can be deployed in Cloud Foundry environments on BTP. As the name says, it is used to ‘route’ traffic for deployed applications, think of it as a kind of ‘reverse proxy’ component. This is a fix that probably requires the involvement of development teams to confirm its usage and the implementation of the fix.
See the following links for background on this component:
- https://help.sap.com/docs/btp/sap-business-technology-platform/application-router?locale=en-US
- https://community.sap.com/t5/technology-blogs-by-sap/sap-application-router/ba-p/13393550
The next note 3567172 , also concerns a less traditional component: SAP Enterprise Project Connection. It runs on SAP AS Java, and the patch includes an updated SCA file with the fixed open-source libraries. Although this product is going towards end-of-maintenance, that does not mean it is not relevant for security!
Medium priority
For SAP Commerce, 3 notes have been released that require more than ‘just’ patching:
Note 3555364 concerns the setting of the ‘SameSite’ cookie attribute and its use in the context of CSRF attacks. The note is not about a software patch but asks for careful consideration by the customer on the desired settings.
Note 3559510 describes a patch for the protection against clickjacking and the different patches when using either SAP Commerce Cloud or the on-premise variant.
Note 3540273 is only relevant when using certain versions of Apache Solr and other prerequisites. Apart from applying the patches, note the general recommendation to run a hardened standalone Solr server on a separate machine!
The remaining notes mainly concern notes that ‘simply’ requires patching to mitigate the risks of the identified vulnerabilities. Every note deserves a careful analysis, though for implementation. For a complete list, see below.
SAP Security Notes February 2025
Highlights
A larger number of security notes than previous months without any 'HotNews' notes.
Summary by Severity
The February release contains a total of 21 patches for the following severities:
| Severity | Number | Hot News | 0 |
|---|---|
High | 6 |
Medium | 14 |
Low | 1 |
| Note | Description | Severity | CVSS |
|---|---|---|---|
| 3417627 | [CVE-2024-22126] Cross Site Scripting vulnerability in NetWeaver AS Java (User Admin Application) Priority: Correction with high priority Released on: 13.02.2024 Components: BC-JAS-SEC-UME Category: Program error | High | 8.8 |
| 3525794 | [CVE-2025-0064] Improper Authorization in SAP BusinessObjects Business Intelligence platform (Central Management Console) Priority: Correction with high priority Released on: 11.02.2025 Components: BI-BIP-AUT Category: Program error | High | 8.7 |
| 3567551 | [CVE-2025-25243] Path traversal vulnerability in SAP Supplier Relationship Management (Master Data Management Catalog) Priority: Correction with high priority Released on: 11.02.2025 Components: SRM-CAT-MDM Category: Program error | High | 8.6 |
| 3567974 | [CVE-2025-24876] Authentication bypass via authorization code injection in SAP Approuter Priority: Correction with high priority Released on: 11.02.2025 Components: BC-XS-APR Category: Program error | High | 8.1 |
| 3567172 | [CVE-2024-38819] Multiple vulnerabilities in SAP Enterprise Project Connection Priority: Correction with high priority Released on: 11.02.2025 Components: CA-EPC Category: Program error | High | 7.5 |
| 3563929 | [CVE-2025-24868] Open Redirect Vulnerability in SAP HANA extended application services, advanced model (User Account and Authentication Services) Priority: Correction with high priority Released on: 11.02.2025 Components: BC-XS-SEC Category: Program error | High | 7.1 |
| 3559510 | [CVE-2025-24874] Missing Defense in Depth Against Clickjacking in SAP Commerce (Backoffice) Priority: Correction with medium priority Released on: 11.02.2025 Components: CEC-SCC-CDM-BO-FRW Category: Program error | Medium | 6.8 |
| 3555364 | [CVE-2025-24875] SameSite Defense in Depth not applied for some cookies in SAP Commerce Priority: Correction with medium priority Released on: 11.02.2025 Components: CEC-SCC-CDM-BO-FRW Category: Program error | Medium | 6.8 |
| 3445708 | [CVE-2025-24867] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform (BI Launchpad) Priority: Correction with medium priority Released on: 11.02.2025 Components: BI-BIP-INV Category: Program error | Medium | 6.1 |
| 3557138 | Update 1 to Security Note 3417627 - [CVE-2024-22126] Cross Site Scripting vulnerability in NetWeaver AS Java (User Admin Application) Priority: Correction with medium priority Released on: 11.02.2025 Components: BC-JAS-SEC-UME Category: Program error | Medium | 6.1 |
| 3562336 | [CVE-2025-24870] Insecure Key & Secret Management vulnerability in SAP GUI for Windows Priority: Correction with medium priority Released on: 11.02.2025 Components: BC-FES-GUI Category: Program error | Medium | 6.0 |
| 3540273 | [CVE-2024-45216] Multiple vulnerabilities in Apache Solr within SAP Commerce Cloud Priority: Correction with medium priority Released on: 11.02.2025 Components: CEC-SCC-COM-SRC-SER Category: Program error | Medium | 5.5 |
| 3526203 | [CVE-2025-0054] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server Java Priority: Correction with medium priority Released on: 11.02.2025 Components: EP-PDK-HBJ Category: Program error | Medium | 5.4 |
| 3532025 | [CVE-2025-25241] Missing Authorization check in SAP Fiori Apps Reference Library (My Overtime Requests) Priority: Correction with medium priority Released on: 11.02.2025 Components: PA-FIO-OVT Category: Program error | Medium | 5.4 |
| 3287784 | [CVE-2023-24527] Improper Access Control in SAP NetWeaver AS Java for Deploy Service Priority: Correction with medium priority Released on: 11.04.2023 Components: BC-JAS-DPL Category: Program error | Medium | 5.3 |
| 3561264 | [CVE-2025-23193] Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP Priority: Correction with medium priority Released on: 11.02.2025 Components: BC-BMT-WFM Category: Program error | Medium | 5.3 |
| 3546470 | [CVE-2025-23187] Missing Authorization Check in SAP NetWeaver and ABAP Platform (SDCCN) Priority: Correction with medium priority Released on: 11.02.2025 Components: SV-SMG-SDD Category: Program error | Medium | 5.3 |
| 3547581 | [CVE-2025-23190] Missing Authorization check in SAP NetWeaver and ABAP platform (ST-PI) Priority: Correction with medium priority Released on: 11.02.2025 Components: SV-SMG-TWB Category: Program error | Medium | 4.3 |
| 3553753 | [CVE-2025-24872] Missing Authorization check in SAP ABAP Platform (ABAP Build Framework) Priority: Correction with medium priority Released on: 11.02.2025 Components: BC-UPG-ADDON Category: Program error | Medium | 4.3 |
| 3550027 | [CVE-2025-24869] Information Disclosure vulnerability in SAP NetWeaver Application Server Java Priority: Correction with medium priority Released on: 11.02.2025 Components: BC-WD-JAV Category: Program error | Medium | 4.3 |
| 3426825 | [CVE-2025-23191] Cache Poisoning through header manipulation vulnerability in SAP Fiori for SAP ERP Priority: Correction with low priority Released on: 11.02.2025 Components: OPU-GW-COR Category: Program error | Low | 3.1 |
