-
Non-Product Related Assistance
Request for existing cases, user IDs, Portal navigation support and more
SAP Security Patch Day - April 2025
This post shares the information on Security Notes that remediate vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on priority to protect their SAP landscape.
On 8th of April 2025, SAP Security Patch Day saw the release of 18 new Security Notes. Further, there were 2 updates to previously released Security Notes.
Note# | Title | Priority | CVSS |
|---|---|---|---|
[CVE-2025-27429] Code Injection Vulnerability in SAP S/4HANA (Private Cloud) Product - SAP S/4HANA (Private Cloud), Versions - S4CORE 102, 103, 104, 105, 106, 107, 108 | Critical | ||
[CVE-2025-31330] Code Injection Vulnerability in SAP Landscape Transformation (Analysis Platform) Product - SAP Landscape Transformation (Analysis Platform), Versions - DMIS 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731 | Critical | ||
[CVE-2025-30016] Authentication Bypass Vulnerability in SAP Financial Consolidation | Critical | ||
Update to Security Note released on February 2025 Patch Day: [CVE-2025-0064] Improper Authorization in SAP BusinessObjects Business Intelligence platform | High | ||
[CVE-2025-23186] Mixed Dynamic RFC Destination vulnerability through Remote Function Call (RFC) in SAP NetWeaver Application Server ABAP | High | ||
[CVE-2024-56337] Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat within SAP Commerce Cloud | High | ||
[CVE-2025-30014] Directory Traversal vulnerability in SAP Capital Yield Tax Management | High | ||
[CVE-2025-27428] Directory Traversal vulnerability in SAP NetWeaver and ABAP Platform (Service Data Collection) | High | ||
[CVE-2025-26654] Potential information disclosure vulnerability in SAP Commerce Cloud (Public Cloud) Product - SAP Commerce Cloud (Public Cloud), Version - COM_CLOUD 2211 | Medium | ||
[CVE-2025-30013] Code Injection vulnerability in SAP ERP BW Business Content Product - SAP ERP BW Business Content, Versions - BI_CONT 707, 737, 747, 757 | Medium | ||
[CVE-2025-31332] Insecure File permissions vulnerability in SAP BusinessObjects Business Intelligence Platform Product - SAP BusinessObjects Business Intelligence Platform, Version - ENTERPRISE 430 | Medium | ||
[CVE-2025-26657] Information Disclosure vulnerability in SAP KMC WPC Product - SAP KMC WPC, Version - KMC-WPC 7.50 | Medium | ||
[CVE-2025-26653] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML) Product - SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML), Versions - KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 9.14 | Medium | ||
[CVE-2025-30017] Missing Authorization check in SAP Solution Manager Product - SAP Solution Manager, Versions - ST 720, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 914 | Medium | ||
[CVE-2025-31333] Odata meta-data tampering in SAP S4CORE entity Product - SAP S4CORE entity, Versions - S4CORE 107, 108 | Medium | ||
[CVE-2025-27437] Missing Authorization check in SAP NetWeaver Application Server ABAP (Virus Scan Interface) Product - SAP NetWeaver Application Server ABAP (Virus Scan Interface), Versions - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758 | Medium | ||
[CVE-2025-31331] Authorization Bypass vulnerability in SAP NetWeaver Product - SAP NetWeaver, Versions - SAP_ABA 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75D, 75E, 75F, 75G, 75H, 75I | Medium | ||
[CVE-2025-27435] Information Disclosure Vulnerability in SAP Commerce Cloud Product - SAP Commerce Cloud, Versions - HY_COM 2205, COM_CLOUD 2211 | Medium | ||
[CVE-2025-30015] Memory Corruption vulnerability in SAP NetWeaver and ABAP Platform (Application Server ABAP) Product - SAP NetWeaver and ABAP Platform (Application Server ABAP), Versions - KRNL64UC 7.53, KERNEL 7.53, 7.54 | Medium | ||
Update to Security Note released on March 2025 Patch Day: [CVE-2025-27430] Server Side Request Forgery (SSRF) in SAP CRM and SAP S/4 HANA (Interaction Center) | Low |
3 new Security Notes were released after the scheduled Monthly Patch Day. Additionally, 2 previously released Security Notes were updated.
[CVE-2025-31324] Missing Authorization check in SAP NetWeaver (Visual Composer development server) | Critical | ||
Update to Security Note released on April 2025 Patch Day: Product - SAP S/4HANA (Private Cloud), Versions - S4CORE 102, 103, 104, 105, 106, 107, 108 | Critical | ||
Update to Security Note released on April 2025 Patch Day: Product - SAP Landscape Transformation (Analysis Platform), Versions - DMIS 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731 | Critical | ||
[CVE-2025-31328] Cross-Site Request Forgery (CSRF) vulnerability in SAP S/4 HANA (Learning Solution) Product- SAP S/4 HANA (Learning Solution), Versions – S4HCMGXX 100, 101 | Medium | ||
[CVE-2025-31327] OData meta-data property entity tampering in SAP Field Logistics | Medium |
Learn more about the security researchers and research companies who have contributed for security patches of this month.
SAP is committed to delivering trustworthy products and cloud services. Secure configuration is essential to ensuring secure operation and data integrity. We have therefore documented security recommendations that are consolidated in this document to help you configure the best security for your SAP portfolio.
Archived blogs from previous years are available here.
If you have any comments or feedback about this post, you can write to secure@sap.com.