SAP Security Patch Day – June 2025
Chapters
Share Article
Let's Talk SAP Security
Have questions about SAP Security? We’re here to help. Contact Us
Fourteen new SAP Security Notes — each one represents a potential threat to your SAP landscape, potentially compromising your systems or sensitive data. Consider what a malicious actor might do with that knowledge. Then ask yourself: how quickly can your organization ensure those threats are neutralized? If that answer gives you confidence, that’s excellent. But for many, this is not the case — patch implementation often takes days, even weeks.
That’s precisely where SecurityBridge Patch Management steps in. In most SAP environments, patching is far from simple. The inherent complexity, along with interdependent components, turns patching into a time-consuming and error-prone process — making it all too easy to overlook critical updates. At SecurityBridge, we deeply understand these challenges. That’s why we built our Patch Management solution to address them head-on. It identifies missing patches across your SAP landscape, provides powerful visibility, delivers thorough impact analysis, and supports automated deployment. With a centralized view of your system landscape, our solution streamlines the patching process — drastically reducing the time needed to secure your environment and strengthening your defense against both existing and emerging threats.
Security notes - June 2025
As stated above, 14 new notes have been newly released. Additionally, 5 notes have either been previously released or recently updated. Below are the highlights categorized by priority. Scroll to the end of this post for the complete overview.
HotNews notes
Two notes have the highest priority ‘HotNews’.
First is note 3600840 which describes how an authorization check is missing so that S_RFC is not checked in some scenarios on ABAP-based systems. The impact of this can be very significant which is why this note has a CVSS score of 9.6! Follow the instructions of FAQ note 3601919 carefully to fully mitigate the risk. There is no workaround!
Vulnerability CVE-2025-31324 has already been widely discussed. After the last patch cycle, an additional note was released on May 14 which needs to be considered and is now again listed by note 3604119. Closely review and check out our separate article on this particular vulnerability.
High priority notes
Next up are the ‘High’ priority notes. While not as critical as the ‘HotNews’ items, these still describe serious security vulnerabilities — and should not be taken lightly.
Five notes in this category are newly released and are relatively straightforward in terms of remediation. In most cases, it’s simply a matter of applying the available fixes. Some noteworthy points:
- Note 3610591 concerns the component SAP NetWeaver Visual Composer again. If there was not enough to do about this already…
- Note 3610006 describes multiple vulnerabilities on the SAP MDM component which we haven’t seen recently for patching. Take extra care to patch!
- Note 3474398 and 3591978 are updated notes with updated validity and support package information. Double-check if relevant to your landscape.
Medium and Low-priority notes
Ten notes fall in the medium or low category. Also here: the majority is about simply applying the fixes. Points to consider:
SAP Security Notes June 2025
Highlights
Fourteen new notes to consider besides 5 notes that have been updated.
Summary by Severity
The June release contains a total of 19 patches for the following severities:
| Severity | Number |
|---|---|
Hot News | 2 |
High | 7 |
Medium | 7 |
Low | 3 |
| Note | Description | Severity | CVSS |
|---|---|---|---|
| 3600840 | [CVE-2025-42989] Missing Authorization check in SAP NetWeaver Application Server for ABAP Priority: HotNews Released on: 10.06.2025 Components: BC-MID-RFC-QT Category: Program error | Hot News | 9.6 |
| 3604119 | [CVE-2025-42999] Insecure Deserialization in SAP NetWeaver (Visual Composer development server) Priority: HotNews Released on: 13.05.2025 Components: EP-VC-INF Category: Program error | Hot News | 9.1 |
| 3609271 | [CVE-2025-42982] Information Disclosure in SAP GRC (AC Plugin) Priority: Correction with high priority Released on: 10.06.2025 Components: GRC-ACP Category: Program error | High | 8.8 |
| 3474398 | [CVE-2025-0061] Multiple vulnerabilities in SAP BusinessObjects Business Intelligence Platform Priority: Correction with high priority Released on: 14.01.2025 Components: BI-BIP-INV Category: Program error | High | 8.7 |
| 3606484 | [CVE-2025-42983] Missing Authorization check in SAP Business Warehouse and SAP Plug-In Basis Priority: Correction with high priority Released on: 10.06.2025 Components: CRM-MW Category: Program error | High | 8.5 |
| 3560693 | [CVE-2025-23192] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence (BI Workspace) Priority: Correction with high priority Released on: 10.06.2025 Components: BI-BIP-INV Category: Program error | High | 8.2 |
| 3591978 | [CVE-2025-43011] Missing Authorization Check in SAP Landscape Transformation (PCL Basis) Priority: Correction with high priority Released on: 13.05.2025 Components: CA-LT-PCL Category: Program error | High | 7.7 |
| 3610591 | [CVE-2025-42977] Directory Traversal vulnerability in SAP NetWeaver Visual Composer Priority: Correction with high priority Released on: 10.06.2025 Components: EP-VC-INF Category: Program error | High | 7.6 |
| 3610006 | [CVE-2025-42994] Multiple vulnerabilities in SAP MDM Server Priority: Correction with high priority Released on: 10.06.2025 Components: MDM-FN-MDS-SEC Category: Program error | High | 7.5 |
| 3580384 | [CVE-2025-42993] Missing Authorization Check in SAP S/4HANA (Enterprise Event Enablement) Priority: Correction with medium priority Released on: 10.06.2025 Components: OPU-XBE Category: Program error | Medium | 6.7 |
| 3585992 | [CVE-2025-43008] Missing Authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal Priority: Correction with medium priority Released on: 13.05.2025 Components: PY-PT Category: Program error | Medium | 5.8 |
| 3590887 | [CVE-2025-31325] Cross-Site Scripting (XSS) Vulnerability in SAP NetWeaver (ABAP Keyword Documentation) Priority: Correction with medium priority Released on: 10.06.2025 Components: BC-ABA-LA Category: Program error | Medium | 5.8 |
| 3441087 | [CVE-2025-42984] Missing Authorization check in SAP S/4HANA (Manage Central Purchase Contract application) Priority: Correction with medium priority Released on: 10.06.2025 Components: MM-PUR-HUB-CTR Category: Program error | Medium | 5.4 |
| 3594258 | [CVE-2025-42998] Security misconfiguration vulnerability in SAP Business One Integration Framework Priority: Correction with medium priority Released on: 10.06.2025 Components: SBO-INT-B1IF Category: Program error | Medium | 5.3 |
| 3608058 | [CVE-2025-42991] Missing Authorization check in SAP S/4HANA (Bank Account Application) Priority: Correction with medium priority Released on: 10.06.2025 Components: FIN-FSCM-CLM-BAM Category: Program error | Medium | 4.3 |
| 3596850 | [CVE-2025-42987] Missing Authorization Check in SAP S/4HANA (Manage Processing Rules - For Bank Statement) Priority: Correction with medium priority Released on: 10.06.2025 Components: FI-FIO-AR-PAY Category: Program error | Medium | 4.3 |
| 3585545 | [CVE-2025-42988] Server-Side Request Forgery in SAP Business Objects Business Intelligence Platform Priority: Correction with low priority Released on: 10.06.2025 Components: BI-BIP-INV Category: Program error | Low | 3.7 |
| 3426825 | [CVE-2025-23191] Cache Poisoning through header manipulation vulnerability in SAP Fiori for SAP ERP Priority: Correction with low priority Released on: 11.02.2025 Components: OPU-GW-COR Category: Program error | Low | 3.1 |
| 3601169 | [CVE-2025-42990] HTML Injection in Unprotected SAPUI5 applications Priority: Correction with low priority Released on: 10.06.2025 Components: CA-UI5-SC Category: Program error | Low | 3.0 |
