Fixes for 27 Flaws, Including 7 Critical

   July 8, 2025  Posted in GBHackers


SAP released critical security updates on July 8, 2025, addressing 27 vulnerabilities across its enterprise software portfolio, with seven classified as critical-severity flaws.

The monthly Security Patch Day also included three updates to previously released security notes, underscoring the ongoing security challenges facing enterprise software environments.

The most severe vulnerability, CVE-2025-30012, affects SAP Supplier Relationship Management’s Live Auction Cockpit component and carries a maximum CVSS score of 10.0.

This critical flaw encompasses multiple vulnerabilities, including CVE-2025-30009, CVE-2025-30010, CVE-2025-30011, and CVE-2025-30018, potentially allowing attackers to gain complete system control.

CVEProductPriorityCVSSType
CVE-2025-30012SAP Supplier Relationship ManagementCritical10.0Multiple vulnerabilities
CVE-2025-42967SAP S/4HANA and SAP SCMCritical9.1Code Injection
CVE-2025-42980SAP NetWeaver Enterprise PortalCritical9.1Insecure Deserialization
CVE-2025-42964SAP NetWeaver Enterprise PortalCritical9.1Insecure Deserialization
CVE-2025-42966SAP NetWeaver XML Data ArchivingCritical9.1Insecure Deserialization
CVE-2025-42963SAP NetWeaver Application Server JavaCritical9.1Unsafe Deserialization
CVE-2025-42959SAP NetWeaver ABAP ServerHigh8.1Missing Authentication
CVE-2025-42953SAP NetWeaver Application Server ABAPHigh8.1Missing Authorization
CVE-2024-53677SAP Business Objects BI PlatformHigh8.0Insecure File Operations
CVE-2025-42952SAP Business WarehouseHigh7.7Missing Authorization
CVE-2025-42977SAP NetWeaver Visual ComposerHigh7.6Directory Traversal
CVE-2025-43001SAPCARMedium6.9Privilege Escalation
CVE-2025-42993SAP S/4HANA Enterprise EventMedium6.7Missing Authorization
CVE-2025-42981SAP NetWeaver Application Server ABAPMedium6.1Multiple vulnerabilities
CVE-2025-42969SAP NetWeaver Application Server ABAPMedium6.1Cross-Site Scripting
CVE-2025-42962SAP Business WarehouseMedium6.1Cross-Site Scripting
CVE-2025-42985SAP BusinessObjects Content AdministratorMedium6.1Open Redirect
CVE-2025-42970SAPCARMedium5.8Directory Traversal
CVE-2025-42979SAP GUI for WindowsMedium5.6Insecure Key Management
CVE-2025-42973SAP Data ServicesMedium5.4Cross-Site Scripting
CVE-2025-42968SAP NetWeaver RFCMedium5.0Missing Authorization
CVE-2025-42961SAP NetWeaver Application Server ABAPMedium4.9Missing Authorization
CVE-2025-42960SAP Business Warehouse BEx ToolsMedium4.3Missing Authorization
CVE-2025-42986SAP NetWeaver and ABAP PlatformMedium4.3Missing Authorization
CVE-2025-42974SAP NetWeaver and ABAP PlatformMedium4.3Missing Authorization
CVE-2025-31326SAP BusinessObjects BI PlatformMedium4.1HTML Injection
CVE-2025-42965SAP BusinessObjects BI PlatformMedium4.1Server Side Request Forgery
CVE-2025-42971SAPCARMedium4.0Memory Corruption
CVE-2025-42978SAP NetWeaver Application Server JavaLow3.5Insecure Hostname Verification
CVE-2025-42954SAP NetWeaver Business WarehouseLow2.7Denial of Service

Code injection and deserialization vulnerabilities dominate the critical category, with five additional flaws scoring 9.1 on the CVSS scale.

CVE-2025-42967 represents a code injection vulnerability in SAP S/4HANA and SAP SCM’s Characteristic Propagation component, affecting multiple versions across SCMAPO, S4CORE, S4COREOP, and SCM product lines.

The patches also address SAPCAR vulnerabilities, including privilege escalation (CVE-2025-43001), directory traversal (CVE-2025-42970), and memory corruption (CVE-2025-42971) issues in the SAP archive utility.

SAP strongly recommends immediate patching, particularly for critical vulnerabilities affecting internet-facing systems.

Organizations should prioritize updates based on their specific SAP landscape and exposure levels, with critical patches requiring urgent attention to prevent potential system compromise.

Stay Updated on Daily Cybersecurity News . Follow us on Google News, LinkedIn, and X.



Source link