SAP Security Notes Review: April 2025

Overview

SAP’s security patch day for April 2025 has seen the release of 20 OSS SAP security notes. Three notes have been classified as critical, five as high, eleven as medium, and one as low based on CVSS v3.0 Rating.

Two notes have been released for:

• SAP NetWeaver Application Server ABAP
• SAP Commerce Cloud

Single notes have been released for:

• SAP S/4HANA
• SAP Landscape Transformation
• SAP Financial Consolidation
• SAP BusinessObjects Business Intelligence Platform
• SAP Capital Yield Tax Management
• SAP NetWeaver and ABAP Platform
• SAP Commerce Cloud
• SAP ERP BW Business Content
• SAP BusinessObjects Business Intelligence Platform
• SAP KMC WPC
• SAP NetWeaver Application Server ABAP
• SAP Solution Manager
• SAP S4CORE entity
• SAP NetWeaver
• SAP CRM and SAP S/4HANA

Vulnerabilities: April 2025 Highlights

[CVE-2025-30017] Missing Authorisation check in SAP Solution Manager (SAP Note 3558864)

Due to a missing authorisation check, an authenticated attacker could upload a file as a template for solution documentation in SAP Solution Manager 7.1. After successful exploitation, an attacker can cause limited impact on the integrity and availability of the application.

[CVE-2025-27437] Missing Authorisation check in SAP NetWeaver Application Server ABAP (Virus Scan Interface) (SAP note 3568778)

A missing authorisation check vulnerability exists in the Virus Scanner Interface of SAP NetWeaver Application Server ABAP. Because of this, an attacker authenticated as a non-administrative user can initiate a transaction, allowing them to access but not modify non-sensitive data without further authorisation and with no effect on availability.

[CVE-2025-31331] Authorisation Bypass vulnerability in SAP NetWeaver (SAP Note 3577131)

SAP NetWeaver allows attackers to bypass authorisation checks, allowing them to view portions of ABAP code that would typically require additional validation. Once logged into the ABAP system, the attacker can run a specific transaction that exposes sensitive system code without proper authorisation. This vulnerability compromises the confidentiality.

[CVE-2025-30013] Code Injection vulnerability in SAP ERP BW Business Content (SAP Note 3571093)

SAP ERP BW Business Content is vulnerable to OS Command Injection through specific function modules. When executed with elevated privileges, these function modules improperly handle user input, allowing an attacker to inject arbitrary OS commands by accessing the target system locally. This vulnerability allows the execution of unintended commands on the underlying system, posing a significant security risk to the application’s confidentiality, integrity and availability.

About this Review

On the second Tuesday of each month, SAP release security updates to their software products. At Applexus UK, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.

There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.