SAP Security Notes Review: January 2025
14 January 2025
Overview
SAP’s security patch day for January 2025 has seen the release of 14 OSS SAP security notes. Two notes have been classified as critical, three as high, eight as medium, and one as low based on CVSS v3.0 Rating.
Two notes have been released for:
- SAP NetWeaver Application Server for ABAP and ABAP Platform
Single notes have been released for:
- SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework)
- SAP BusinessObjects Business Intelligence Platform
- SAPSetup
- SAP Business Workflow and SAP Flexible Workflow
- SAP NetWeaver Application Server Java
- SAP GUI for Windows
- SAP GUI for Java
- SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)
- SAP NetWeaver AS JAVA (User Admin Application)
- SAP NetWeaver Application Server ABAP
- SAP BusinessObjects Business Intelligence Platform (Crystal Reports for Enterprise)
Vulnerabilities: January 2025 Highlights
[CVE-2025-0070] Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform (SAP Note 3537476)
SAP NetWeaver Application Server for ABAP and ABAP Platform allows an authenticated attacker to obtain illegitimate access to the system by exploiting improper authentication checks, resulting in privilege escalation. On successful exploitation, this can result in potential security concerns. This results in a high impact on confidentiality, integrity, and availability.
[CVE-2025-0066] Information Disclosure vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework) (SAP Note 3550708)
Under certain conditions, SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework) allows attackers to access restricted information due to weak access controls. This can have a significant impact on the confidentiality, integrity, and availability of an application.
[CVE-2025-0063] SQL Injection vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform (SAP Note 3550816)
SAP NetWeaver AS ABAP and ABAP Platform does not check for authorisation when a user executes some RFC function modules. This could lead to an attacker with basic user privileges to gain control over the data in Informix database, leading to complete compromise of confidentiality, integrity, and availability.
About this Review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.
