SAP Security Patch Day – May 2025
Chapters
Share Article
Let's Talk SAP Security
Have questions about SAP Security? We’re here to help. Contact Us
It is SAP Security Patch Day again, another round of SAP Security Notes has been released, and it’s time to review and implement them. Did you know that it often takes organizations several weeks — or even months — to fully apply these critical updates? Consider the implications: during this delay, known vulnerabilities remain unaddressed, leaving production systems exposed to potential threats. This reality underscores the need to streamline processes, testing procedures, and other factors that hinder timely implementation. Timely patching isn’t just important — it’s essential for maintaining a secure SAP environment.
In most SAP landscapes, patching is anything but straightforward. The complexity of the environment, combined with numerous interdependent components, makes patching a labor-intensive and error-prone task. It’s easy to miss crucial updates. At SecurityBridge, we understand these challenges like no other. Our SecurityBridge Patch Management solution is specifically designed to tackle them. It helps identify missing patches across your SAP environment, offering enhanced visibility, comprehensive impact analysis, and automated deployment capabilities. With a centralized system overview, our solution significantly reduces the time required to implement patches, fortifying your SAP landscape against both current and emerging threats.
Security notes - May 2025
This month, 22 security notes have either been newly released or updated since the previous release.
See below for the highlights per priority, and scroll to the end of this post for a complete overview.
HotNews
No fewer than four security notes have been listed with the highest ‘HotNews’ priority.
Security Note 3594142 has received significant attention since its release due to active exploitation in the wild. With a CVSS score of 10, this vulnerability should—obviously—be mitigated immediately.
Important note: In addition to Note 3594142, make sure to implement Note 3604119 as well. Although listed separately, this related vulnerability must also be addressed to ensure the Visual Composer component is properly secured. For more information, refer to our blog post: Critical SAP Zero-Day Vulnerability: CVE-2025-31324.
The other two HotNews notes were initially released last month but have since been updated. Refer to our previous blog post for background information.
- Note 3587115 includes updated correction instructions for more recent DMIS versions, so please verify applicability.
- Note 3581961 has only seen a minor update to its title. However, the change makes it clear that On-Premise systems are also affected. If you previously missed this, be sure to double-check.
High and medium priority
Next up are the ‘High’ priority notes. While not as critical as the ‘HotNews’ items, these still describe serious security vulnerabilities—and should not be taken lightly.
The five notes in this category are relatively straightforward in terms of remediation. In most cases, it’s simply a matter of applying the available fixes.
- Note 3578900 outlines multiple vulnerabilities in the SRM_SERVER component—an uncommon target in recent advisories.
- Note 3483344 has been updated with correction instructions for the SEM-BW component, so be sure to check affected systems for applicability.
The remaining 13 notes are categorized as ‘Medium’ priority.
- Notes 2719724, 2491817, and 3585992 all address issues with authorization checks. Pay close attention to the manual activities required to ensure complete implementation.
SecurityBridge findings
At SecurityBridge, we not only provide a comprehensive SAP security solution for our customers, but we also conduct in-depth research on SAP security topics.
Through this ongoing research, we regularly discover vulnerabilities, which we then address in close collaboration with SAP. Following last month’s contributions, we’re proud to announce another finding: Note 3596033.
SAP Security Notes May 2025
Highlights
Critical updates for SAP NetWeaver Java and many notes with relatively high priority.
Summary by Severity
The May release contains a total of 22 patches for the following severities:
| Severity | Number | Hot News | 4 |
|---|---|
High | 5 |
Medium | 13 |
| Note | Description | Severity | CVSS |
|---|---|---|---|
| 3594142 | [CVE-2025-31324] Missing Authorization check in SAP NetWeaver (Visual Composer development server) Priority: HotNews Released on: 24.04.2025 Components: EP-VC-INF Category: Program error | Hot News | 10.0 |
| 3587115 | [CVE-2025-31330] Code Injection Vulnerability in SAP Landscape Transformation (Analysis Platform) Priority: HotNews Released on: 08.04.2025 Components: CA-LT-ANA Category: Program error | Hot News | 9.9 |
| 3581961 | [CVE-2025-27429] Code Injection Vulnerability in SAP S/4HANA (Private Cloud or On-Premise) Priority: HotNews Released on: 08.04.2025 Components: CA-LT-ANA Category: Program error | Hot News | 9.9 |
| 3604119 | [CVE-2025-42999] Insecure Deserialization in SAP NetWeaver (Visual Composer development server) Priority: HotNews Released on: 13.05.2025 Components: EP-VC-INF Category: Program error | Hot News | 9.1 |
| 3578900 | [CVE-2025-30018] Multiple vulnerabilities in SAP Supplier Relationship Management (Live Auction Cockpit) Priority: Correction with high priority Released on: 13.05.2025 Components: SRM-LA Category: Program error | High | 8.6 |
| 3600859 | [CVE-2025-43010] Code injection vulnerability in SAP S/4HANA Cloud Private Edition or On Premise(SCM Master Data Layer (MDL)) Priority: Correction with high priority Released on: 13.05.2025 Components: SCM-BAS-MDL Category: Program error | High | 8.3 |
| 3586013 | [CVE-2025-43000] Information Disclosure Vulnerability in SAP Business Objects Business Intelligence Platform (PMW) Priority: Correction with high priority Released on: 13.05.2025 Components: BI-BIP-LCM Category: Program error | High | 7.9 |
| 3483344 | [CVE-2024-39592] Missing Authorization check in SAP PDCE Priority: Correction with high priority Released on: 09.07.2024 Components: FIN-BA Category: Program error | High | 7.7 |
| 3591978 | [CVE-2025-43011] Missing Authorization Check in SAP Landscape Transformation (PCL Basis) Priority: Correction with high priority Released on: 13.05.2025 Components: CA-LT-PCL Category: Program error | High | 7.7 |
| 3577300 | [CVE-2025-42997] Information Disclosure vulnerability in SAP Gateway Client Priority: Correction with medium priority Released on: 13.05.2025 Components: OPU-GW-V4 Category: Program error | Medium | 6.6 |
| 3596033 | [CVE-2025-43003] Information Disclosure vulnerability in SAP S/4HANA (Private Cloud & On-Premise) Priority: Correction with medium priority Released on: 13.05.2025 Components: CRM-MD-BP Category: Program error | Medium | 6.4 |
| 2491817 | [CVE-2025-43009] Missing Authorization check in SAP Service Parts Management (SPM) Priority: Correction with medium priority Released on: 13.05.2025 Components: LO-SPM-OUT Category: Program error | Medium | 6.3 |
| 2719724 | [CVE-2025-43007] Missing Authorization check in SAP Service Parts Management (SPM) Priority: Correction with medium priority Released on: 13.05.2025 Components: LO-SPM-X Category: Program error | Medium | 6.3 |
| 3577287 | [CVE-2025-31329] Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform Priority: Correction with medium priority Released on: 13.05.2025 Components: BC-MID-RFC Category: Program error | Medium | 6.2 |
| 3588455 | [CVE-2025-43006] Cross-Site Scripting (XSS) vulnerability in SAP Supplier Relationship Management (Master Data Management Catalog) Priority: Correction with medium priority Released on: 13.05.2025 Components: SRM-CAT-MDM Category: Program error | Medium | 6.1 |
| 3585992 | [CVE-2025-43008] Missing Authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal Priority: Correction with medium priority Released on: 13.05.2025 Components: PY-PT Category: Program error | Medium | 5.8 |
| 3571096 | [CVE-2025-43004] Security Misconfiguration Vulnerability in SAP Digital Manufacturing (Production Operator Dashboard) Priority: Correction with medium priority Released on: 13.05.2025 Components: MFG-DM Category: Customizing | Medium | 5.3 |
| 3446649 | [CVE-2025-31328] Cross-Site Request Forgery (CSRF) vulnerability in SAP S/4 HANA (Learning Solution) Priority: Correction with medium priority Released on: 22.04.2025 Components: PA-FIO-LSO Category: Program error | Medium | 4.6 |
| 3558755 | [CVE-2025-26662] Cross-Site Scripting (XSS) vulnerability in the SAP Data Services Management Console Priority: Correction with medium priority Released on: 13.05.2025 Components: EIM-DS-SVR Category: Advance development | Medium | 4.4 |
| 3574520 | [CVE-2025-43005] Information Disclosure vulnerability in SAP GUI for Windows Priority: Correction with medium priority Released on: 13.05.2025 Components: BC-FES-GXT Category: Program error | Medium | 4.3 |
| 3227940 | [CVE-2025-43002] Missing Authorization check in SAP S4/HANA (OData meta-data property) Priority: Correction with medium priority Released on: 13.05.2025 Components: MM-PUR-SVC-SES Category: Program error | Medium | 4.3 |
| 3359825 | [CVE-2025-31327] OData meta-data property entity tampering in SAP Field Logistics Priority: Correction with medium priority Released on: 22.04.2025 Components: CA-FL-SRV Category: Program error | Medium | 4.3 |
