SAP Security Notes Review: June 2025

Overview

SAP’s security patch day for June 2025 has seen the release of 14 OSS SAP security notes. One note has been classified as critical, Five as high, six as medium, and two  as low based on CVSS v3.0 Rating.

Four notes have been released for:

• SAP S/4HANA

Single notes have been released for:

• SAP NetWeaver Application Server for ABAP
• SAP GRC
• SAP Business Warehouse and SAP Plug-In Basis
• SAP BusinessObjects Business Intelligence
• SAP NetWeaver Visual Composer
• SAP MDM Server
• SAP NetWeaver
• SAP Business One Integration Framework
• SAP Business Objects Business Intelligence Platform
• SAPUI5 applications

Vulnerabilities: June 2025 Highlights

[CVE-2025-42983] Missing Authorisation check in SAP Business Warehouse and SAP Plug-In Basis (SAP Note 3606484)

SAP Business Warehouse and SAP Plug-In Basis allow an authenticated attacker to drop arbitrary SAP database tables, potentially resulting in data loss or rendering the system unusable. Upon successful exploitation, an attacker can completely delete database entries but is unable to read any data.

[CVE-2025-42990] HTML Injection in Unprotected SAPUI5 applications (SAP Note 3601169)

Unprotected SAPUI5 applications allow an attacker with basic privileges to inject malicious HTML code into a webpage, with the goal of redirecting users to the attacker-controlled URL. This issue could impact the integrity of the application. 

About this Review

On the second Tuesday of each month, SAP release security updates to their software products. At Applexus, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.

There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.