Search Icon
BlogsSap security notes review march 2025

SAP Security Notes Review: March 2025

11 March 2025

banner image

Overview

SAP’s security patch day for March 2025 has seen the release of 24 OSS SAP security notes. Five notes have been classified as high, fifteen as medium and four as low based on CVSS v3.0 Rating.

Sec Notes CVSS v3 Scores Mar25

Two notes have been released for:

  • SAP S/4HANA
  • SAP BusinessObjects Business Intelligence Platform
  • SAP Just In Time
  • SAP NetWeaver Application Server ABAP

Single notes have been released for:

  • @sap/approuter
  • SAP Business Objects Business Intelligence Platform
  • SAP Business One (Service Layer)
  • SAP Business Warehouse (Process Chains)
  • SAP Commerce (Swagger UI)
  • SAP Commerce Cloud
  • SAP Commerce Cloud and SAP Datahub
  • SAP CRM and SAP S/4HANA (Interaction Center)
  • SAP Electronic Invoicing for Brazil (eDocument Cockpit)
  • SAP Fiori apps (Posting Library)
  • SAP NetWeaver (ABAP Class Builder)
  • SAP NetWeaver Application Server Java
  • SAP NetWeaver Enterprise Portal (OBN component)
  • SAP PDCE
  • SAP Permit to Work
  • SAP Web Dispatcher and Internet Communication Manager

Sec Notes Prod Cat Jan25

Vulnerabilities: March 2025 Highlights

[CVE-2025-25244] Missing Authorisation Check in SAP Business Warehouse (Process Chains) (SAP Note 3552144 )

SAP Business Warehouse (Process Chains) allows attackers to manipulate the process execution due to a missing authorisation check. An attacker with display authorisation for the process chain object could set one or all processes to be skipped. This means corresponding activities, such as data loading, activation, or deletion, will not be executed as initially modeled. This could lead to unexpected results in business reporting, leading to a significant impact on integrity. However, there is no impact on confidentiality or availability.

[CVE-2025-27430] Server Side Request Forgery (SSRF) in SAP CRM and SAP S/4 HANA (Interaction Center) (SAP note 3561861 )

Under certain conditions, an SSRF vulnerability in SAP CRM and SAP S/4HANA (Interaction Center) allows an attacker with low privileges to access restricted information. This flaw enables the attacker to send requests to internal network resources, thereby compromising the application’s confidentiality.

[CVE-2025-25242] Cross-Site Scripting (XSS) in SAP NetWeaver Application Server ABAP) (SAP Note 3562390)

SAP NetWeaver Application Server ABAP allows malicious scripts to be executed in the application, potentially leading to a Cross-Site Scripting (XSS) vulnerability. This has no impact on the application’s availability, but it can have some minor impact on its confidentiality and integrity.

[CVE-2025-26661] Missing Authorisation check in SAP NetWeaver (ABAP Class Builder) (SAP Note 3563927)

Due to missing authorisation checks, SAP NetWeaver (ABAP Class Builder) allows attackers to gain higher access levels than they should have, escalating privileges. This could result in the disclosure of highly sensitive information on successful exploitation. It could also greatly impact the integrity and availability of the application.

[CVE-2025-27432] Missing Authorisation check in SAP Electronic Invoicing for Brazil (eDocument Cockpit) (SAP Note 3568865)

The eDocument Cockpit (Inbound NF-e) in SAP Electronic Invoicing for Brazil allows an authenticated attacker with certain privileges to gain unauthorised access to each transaction. An unauthorised attacker could call each transaction and view the inbound delivery details by executing the specific ABAP method within the ABAP system. This vulnerability has a low impact on confidentiality and no effect on the integrity and availability of the application.

About this Review

On the second Tuesday of each month, SAP release security updates to their software products. At Applexus, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.

There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.

SAP S/4HANA Services

Related Blogs

Modern ERP system streamlining fashion and retail operations across channels

10 November 2025

Why Modern ERP is No Longer Optional for Fashion & Retail Success

Clean core blog banner

18 June 2025

Why Clean Core for your Journey to RISE and AI

A group of round wooden circles with black people icons

16 May 2025

Roles and Authorization – The Often-Neglected Aspect of a S/4HANA Migration Journey

Celerite Assessment Webinar for S/4Hana Migration

25 April 2025

Why the Right Assessment is Key to a Successful S/4HANA Migration

14 January 2025

SAP Security Notes Review: January 2025

applexus-runway-approach-blog-banner

21 November 2024

Runway Approach: Revolutionizing Your S/4HANA Journey

Team working on laptops in a modern office with digital cloud icons overlayed, symbolizing collaboration, cloud analytics, and predictive insights in SAP Analytics Cloud.

01 November 2024

Importance of Predictive Analytics in SAC for Business

celerites-innovative-approach-for-afs-to-s4-fashion_banner

06 August 2024

Beyond Greenfield: CeleRITE’s Innovative Approach for AFS to S/4 Fashion