Fixes for 27 Flaws, Including 7 Critical

SAP released critical security updates on July 8, 2025, addressing 27 vulnerabilities across its enterprise software portfolio, with seven classified as critical-severity flaws.

The monthly Security Patch Day also included three updates to previously released security notes, underscoring the ongoing security challenges facing enterprise software environments.

The most severe vulnerability, CVE-2025-30012, affects SAP Supplier Relationship Management’s Live Auction Cockpit component and carries a maximum CVSS score of 10.0.

This critical flaw encompasses multiple vulnerabilities, including CVE-2025-30009, CVE-2025-30010, CVE-2025-30011, and CVE-2025-30018, potentially allowing attackers to gain complete system control.

CVE	Product	Priority	CVSS	Type
CVE-2025-30012	SAP Supplier Relationship Management	Critical	10.0	Multiple vulnerabilities
CVE-2025-42967	SAP S/4HANA and SAP SCM	Critical	9.1	Code Injection
CVE-2025-42980	SAP NetWeaver Enterprise Portal	Critical	9.1	Insecure Deserialization
CVE-2025-42964	SAP NetWeaver Enterprise Portal	Critical	9.1	Insecure Deserialization
CVE-2025-42966	SAP NetWeaver XML Data Archiving	Critical	9.1	Insecure Deserialization
CVE-2025-42963	SAP NetWeaver Application Server Java	Critical	9.1	Unsafe Deserialization
CVE-2025-42959	SAP NetWeaver ABAP Server	High	8.1	Missing Authentication
CVE-2025-42953	SAP NetWeaver Application Server ABAP	High	8.1	Missing Authorization
CVE-2024-53677	SAP Business Objects BI Platform	High	8.0	Insecure File Operations
CVE-2025-42952	SAP Business Warehouse	High	7.7	Missing Authorization
CVE-2025-42977	SAP NetWeaver Visual Composer	High	7.6	Directory Traversal
CVE-2025-43001	SAPCAR	Medium	6.9	Privilege Escalation
CVE-2025-42993	SAP S/4HANA Enterprise Event	Medium	6.7	Missing Authorization
CVE-2025-42981	SAP NetWeaver Application Server ABAP	Medium	6.1	Multiple vulnerabilities
CVE-2025-42969	SAP NetWeaver Application Server ABAP	Medium	6.1	Cross-Site Scripting
CVE-2025-42962	SAP Business Warehouse	Medium	6.1	Cross-Site Scripting
CVE-2025-42985	SAP BusinessObjects Content Administrator	Medium	6.1	Open Redirect
CVE-2025-42970	SAPCAR	Medium	5.8	Directory Traversal
CVE-2025-42979	SAP GUI for Windows	Medium	5.6	Insecure Key Management
CVE-2025-42973	SAP Data Services	Medium	5.4	Cross-Site Scripting
CVE-2025-42968	SAP NetWeaver RFC	Medium	5.0	Missing Authorization
CVE-2025-42961	SAP NetWeaver Application Server ABAP	Medium	4.9	Missing Authorization
CVE-2025-42960	SAP Business Warehouse BEx Tools	Medium	4.3	Missing Authorization
CVE-2025-42986	SAP NetWeaver and ABAP Platform	Medium	4.3	Missing Authorization
CVE-2025-42974	SAP NetWeaver and ABAP Platform	Medium	4.3	Missing Authorization
CVE-2025-31326	SAP BusinessObjects BI Platform	Medium	4.1	HTML Injection
CVE-2025-42965	SAP BusinessObjects BI Platform	Medium	4.1	Server Side Request Forgery
CVE-2025-42971	SAPCAR	Medium	4.0	Memory Corruption
CVE-2025-42978	SAP NetWeaver Application Server Java	Low	3.5	Insecure Hostname Verification
CVE-2025-42954	SAP NetWeaver Business Warehouse	Low	2.7	Denial of Service

Code injection and deserialization vulnerabilities dominate the critical category, with five additional flaws scoring 9.1 on the CVSS scale.

CVE-2025-42967 represents a code injection vulnerability in SAP S/4HANA and SAP SCM’s Characteristic Propagation component, affecting multiple versions across SCMAPO, S4CORE, S4COREOP, and SCM product lines.

The patches also address SAPCAR vulnerabilities, including privilege escalation (CVE-2025-43001), directory traversal (CVE-2025-42970), and memory corruption (CVE-2025-42971) issues in the SAP archive utility.

SAP strongly recommends immediate patching, particularly for critical vulnerabilities affecting internet-facing systems.

Organizations should prioritize updates based on their specific SAP landscape and exposure levels, with critical patches requiring urgent attention to prevent potential system compromise.

Stay Updated on Daily Cybersecurity News . Follow us on Google News, LinkedIn, and X.

Source link