SAP Security Patch Day – July 2025
Chapters
Share Article
Let's Talk SAP Security
Have questions about SAP Security? We’re here to help. Contact Us
A New Record: 30 SAP Security Notes released – SAP has just issued 30 Security Notes in a single monthly release — the highest number we’ve seen in a long time. This underscores the critical importance of SAP Security and highlights why robust patch management practices are essential. Yet, for most SAP landscapes, applying patches is far from simple. The complexity of the environments, along with a web of interdependent components, makes the process both time-consuming and prone to errors. Missing important updates is all too easy.
At SecurityBridge, we are deeply familiar with these challenges. That’s why our SecurityBridge Patch Management solution is built to address them head-on. It helps you detect missing patches throughout your SAP environment, offering greater visibility, detailed impact analysis, and automated deployment features. With a centralized overview of your system, our solution streamlines the patching process, significantly cutting down implementation time and strengthening your SAP landscape against both current and evolving threats.
Security notes - July 2025
In this monthly cycle, 27 new notes have been released, and 3 existing notes have been updated. Below, you’ll find the key highlights grouped by priority. For a full breakdown, scroll to the end of this post.
HotNews – Deserialization vulnerabilities
A notable total of 6 HotNews notes have been published this month — quite a high number. On closer inspection, all except one (note 3618955) address the same underlying issue: insecure deserialization. That raises the question: What exactly does this mean, and why is it significant?
What is deserialization?
Software applications sometimes exchange data in serialized formats, like JSON, XML, or binary, where complex data structures are converted into a format suitable for storage or transmission. A deserialization vulnerability exploits the process by which a program reconstructs an object from its serialized form. If the application does not properly validate the input data, an attacker can inject specially crafted data that can do anything. Like executing commands, altering application logic, or instantiating malicious objects. Deserialization vulnerabilities are particularly dangerous in languages like Java, Python, or PHP, where deserialization can instantiate classes and invoke methods automatically. This also explains why the 5 HotNews notes all concern Java-based components.
See CWE-502 for more information.
HotNews notes
Note 3578900 addresses a collection of vulnerabilities and has been updated this month with vulnerability CVE-2025-30012, which has the highest possible CVSS score: 10! This concerns an already deprecated Java applet that can still be exploited on existing installations. Check your installation to see if the Software Component exists and can be subsequently undeployed.
Note 3618955 concerns a Code Injection Vulnerability in SAP S/4HANA and SAP SCM. Although this can only be exploited from the internal network AND with authorization to execute reports, it is considered highly critical (CVSS 9.9). There is no workaround; the correction instructions or support package must be applied.
Notes 3610892, 3621236, 3620498, and 3621771 all describe similar deserialization issues, but on various components in the SAP AS Java technology stack. The main solution is that the logic is enhanced so that the data is properly checked before deserialization takes place. For some cases, workarounds are available, but the proper solution is to apply the patch!
High priority notes
Next up are the ‘High’ priority notes. While not as critical as the ‘HotNews’ items, these still describe serious security vulnerabilities — and should not be taken lightly.
Four notes in this category are newly released, and one is updated. In most cases, it’s simply a matter of applying the available fixes. Some noteworthy points:
- Note 3600846: This is not a software patch but requires manual steps for the deletion and regeneration of an HMAC key. See FAQ note 3601141 for clarification.
- Note 3623440: There is a workaround by restricting S_RFC to functions or function groups.
- Note 3610591: This has only been updated with minor textual changes.
Medium and Low-priority notes
19 notes fall in the ‘Medium’ or ‘Low’ category. Also, here: the majority is about simply applying the fixes.
Who hasn’t heard of SAPCAR?
Every technical SAP consultant is familiar with the archiving utility SAPCAR—a command-line tool developed by SAP for archiving and unarchiving files with the ‘.SAR’ extension. Looks like someone has been researching this tool recently because we see 3 notes concerning SAPCAR: notes 3595143, 3595156, and 3595141. This once again highlights an important truth: security isn’t just about the core technology stacks—it extends to all components, no matter how insignificant they may seem. And in SAP landscapes, those components are many!
SecurityBridge findings
At SecurityBridge, we don’t just deliver a comprehensive SAP security platform for our customers—we’re also deeply committed to ongoing research in the SAP security domain.
This continuous effort frequently leads to the discovery of new vulnerabilities, which we responsibly disclose and address in close cooperation with SAP. Building on last month’s contributions, we’re proud to share our latest finding: SAP Note 3608156.
SAP Security Notes July 2025
Highlights
A record number of patches with 6 HotNews notes that mainly concern deserialization vulnerabilities.
Summary by Severity
The July release contains a total of 30 patches for the following severities:
| Severity | Number | Hot News | 6 |
|---|---|
High | 5 |
Medium | 17 |
Low | 2 |
| Note | Description | Severity | CVSS |
|---|---|---|---|
| 3578900 | [CVE-2025-30012] Multiple vulnerabilities in SAP Supplier Relationship Management (Live Auction Cockpit) Priority: HotNews Released on: 13.05.2025 Components: SRM-LA Category: Program error | Hot News | 10.0 |
| 3618955 | [CVE-2025-42967] Code Injection vulnerability in SAP S/4HANA and SAP SCM (Characteristic Propagation) Priority: HotNews Released on: 08.07.2025 Components: SCM-APO-PPS Category: Program error | Hot News | 9.9 |
| 3621236 | [CVE-2025-42964] Insecure Deserialization in SAP NetWeaver Enterprise Portal Administration Priority: HotNews Released on: 08.07.2025 Components: BC-PIN-PCD Category: Program error | Hot News | 9.1 |
| 3621771 | [CVE-2025-42963] Insecure Deserialization in SAP NetWeaver Application Server for Java (Log Viewer ) Priority: HotNews Released on: 08.07.2025 Components: BC-JAS-ADM-LOG Category: Program error | Hot News | 9.1 |
| 3620498 | [CVE-2025-42980] Insecure Deserialization in SAP NetWeaver Enterprise Portal Federated Portal Network Priority: HotNews Released on: 08.07.2025 Components: EP-PIN-FPN Category: Program error | Hot News | 9.1 |
| 3610892 | [CVE-2025-42966] Insecure Deserialization vulnerability in SAP NetWeaver (XML Data Archiving Service) Priority: HotNews Released on: 08.07.2025 Components: BC-ILM-DAS Category: Program error | Hot News | 9.1 |
| 3623440 | [CVE-2025-42953] Missing Authorization check in SAP NetWeaver Application Server for ABAP Priority: Correction with high priority Released on: 08.07.2025 Components: BC-CCM-CNF-OPM Category: Program error | High | 8.1 |
| 3600846 | [CVE-2025-42959] Missing Authentication check after implementation of SAP Security Note 3007182 and 3537476 Priority: Correction with high priority Released on: 08.07.2025 Components: BC-MID-RFC Category: Program error | High | 8.1 |
| 3565279 | [CVE-2024-53677] Insecure File Operations vulnerability in SAP Business Objects Business Intelligence Platform (CMC) Priority: Correction with high priority Released on: 08.07.2025 Components: BI-BIP-CMC Category: Program error | High | 8.0 |
| 3623255 | [CVE-2025-42952] Missing Authorization check in SAP Business Warehouse and SAP Plug-In Basis Priority: Correction with high priority Released on: 08.07.2025 Components: CRM-MW-ADP Category: Program error | High | 7.7 |
| 3610591 | [CVE-2025-42977] Directory Traversal vulnerability in SAP NetWeaver Visual Composer Priority: Correction with high priority Released on: 10.06.2025 Components: EP-VC-INF Category: Program error | High | 7.6 |
| 3595143 | [CVE-2025-43001] Multiple Privilege Escalation Vulnerabilities in SAPCAR Priority: Correction with medium priority Released on: 08.07.2025 Components: BC-INS-TLS Category: Program error | Medium | 6.9 |
| 3580384 | [CVE-2025-42993] Missing Authorization Check in SAP S/4HANA (Enterprise Event Enablement) Priority: Correction with medium priority Released on: 10.06.2025 Components: OPU-XBE Category: Program error | Medium | 6.7 |
| 3604212 | [CVE-2025-42962] Cross-Site Scripting (XSS) vulnerability in SAP Business Warehouse (Business Explorer Web 3.5 loading animation) Priority: Correction with medium priority Released on: 08.07.2025 Components: BW-BEX-ET-WEB Category: Program error | Medium | 6.1 |
| 3617131 | [CVE-2025-42981] Open Redirect vulnerability in SAP NetWeaver Application Server ABAP Priority: Correction with medium priority Released on: 08.07.2025 Components: BC-FES-ITS Category: Program error | Medium | 6.1 |
| 3596987 | [CVE-2025-42969] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform Priority: Correction with medium priority Released on: 08.07.2025 Components: BC-MID-AC Category: Program error | Medium | 6.1 |
| 3617380 | [CVE-2025-42985] Open Redirect vulnerability in SAP BusinessObjects Content Administrator workbench Priority: Correction with medium priority Released on: 08.07.2025 Components: BI-RA-CR Category: Program error | Medium | 6.1 |
| 3595156 | [CVE-2025-42970] Directory Traversal vulnerability in SAPCAR Priority: Correction with medium priority Released on: 08.07.2025 Components: BC-INS-TLS Category: Program error | Medium | 5.8 |
| 3607513 | [CVE-2025-42979] Insecure Key & Secret Management vulnerability in SAP GUI for Windows Priority: Correction with medium priority Released on: 08.07.2025 Components: BC-FES-GXT Category: Program error | Medium | 5.6 |
| 3606103 | [CVE-2025-42973] Cross-Site Scripting (XSS) vulnerability in SAP Data Services (DQ Report) Priority: Correction with medium priority Released on: 08.07.2025 Components: EIM-DS-SVR Category: Program error | Medium | 5.4 |
| 3621037 | [CVE-2025-42968] Missing Authorization check in SAP NetWeaver (RFC enabled function module) Priority: Correction with medium priority Released on: 08.07.2025 Components: SV-SMG-MON-REP Category: Program error | Medium | 5.0 |
| 3610322 | [CVE-2025-42961] Missing Authorization check in SAP NetWeaver Application Server for ABAP Priority: Correction with medium priority Released on: 08.07.2025 Components: BC-DB-DBI Category: Program error | Medium | 4.9 |
| 3610056 | [CVE-2025-42974] Missing Authorization Check in SAP NetWeaver and ABAP Platform (SDCCN) Priority: Correction with medium priority Released on: 08.07.2025 Components: SV-SMG-SDD Category: Program error | Medium | 4.3 |
| 3626440 | [CVE-2025-42986] Missing Authorization check in SAP NetWeaver and ABAP Platform Priority: Correction with medium priority Released on: 08.07.2025 Components: SV-SMG-SDD Category: Program error | Medium | 4.3 |
| 3608991 | [CVE-2025-42960] Missing Authorization Check in SAP Business Warehouse and SAP BW/4HANA BEx Tools Priority: Correction with medium priority Released on: 08.07.2025 Components: BW-BEX-ET Category: Program error | Medium | 4.3 |
| 3573199 | [CVE-2025-31326] HTML Injection vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence) Priority: Correction with medium priority Released on: 08.07.2025 Components: BI-RA-WBI-FE-HTM Category: Program error | Medium | 4.1 |
| 3598118 | [CVE-2025-42965] Server Side Request Forgery(SSRF) vulnerability in SAP BusinessObjects BI Platform Central Management Console Promotion Management Application. Priority: Correction with medium priority Released on: 08.07.2025 Components: BI-BIP-LCM Category: Program error | Medium | 4.1 |
| 3595141 | [CVE-2025-42971] Memory Corruption vulnerability in SAPCAR Priority: Correction with medium priority Released on: 08.07.2025 Components: BC-INS-TLS Category: Program error | Medium | 4.0 |
| 3557179 | [CVE-2025-42978] Insufficiently Secure Hostname Verification for Outbound TLS Connections in SAP NetWeaver Application Server Java Priority: Correction with low priority Released on: 08.07.2025 Components: BC-JAS-SEC Category: Program error | Low | 3.5 |
| 3608156 | [CVE-2025-42954] Denial of service (DOS) in SAP NetWeaver Business Warehouse (CCAW application). Priority: Correction with low priority Released on: 08.07.2025 Components: BW-BEX-ET Category: Program error | Low | 2.7 |
