SAP has fixed two critical vulnerabilities affecting NetWeaver web application server that could be exploited to escalate privileges and access restricted information.
As part of the January Security Patch Day, the vendor also released updates for other products to patch 12 additional issues rated with medium and high severity.
“SAP strongly recommends that the customer visits the Support Portal and applies patches on priority to protect their SAP landscape,” reads the company’s security bulletin.
The four most severe security problem SAP addressed this month are summarized as follows:
- CVE-2025-0070, critical severity, 9.9 score): Improper authentication in SAP NetWeaver Application Server for ABAP and ABAP Platform allows an authenticated attacker to exploit improper authentication checks, resulting in privilege escalation and significantly impacting confidentiality, integrity, and availability.
- CVE-2025-0066, critical severity, 9.9 score: Information disclosure vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework) occurs due to weak access controls, enabling an attacker to access restricted information and significantly compromising confidentiality, integrity, and availability.
- CVE-2025-0063, high severity, 8.8 score: SQL injection vulnerability in SAP NetWeaver AS ABAP and ABAP Platform arises from a lack of authorization checks for certain RFC function modules. This allows an attacker with basic privileges to compromise an Informix database, leading to a complete loss of confidentiality, integrity, and availability.
- CVE-2025-0061, high severity, 8.7 score: Multiple vulnerabilities in SAP BusinessObjects Business Intelligence Platform allow an unauthenticated attacker to perform session hijacking over the network due to an information disclosure issue. This enables the attacker to access and modify all application data.
Impact and recommendations
SAP products serve large enterprises across industries such as manufacturing, finance, retail, healthcare, and government, fulfilling critical roles for managing business operations and customer relations.
SAP NetWeaver is a core platform for running ABAP applications and enabling secure communication via the Internet Communication Framework. It’s typically used by IT administrators, developers, and consultants in enterprises managing ERP systems for finance, HR, and supply chain.
SAP BusinessObjects is a platform for reporting, analytics, and data visualization used by analysts, decision-makers, and IT teams to derive insights and support strategic decisions.
Hackers in the past have targeted SAP products that had not been updated to address known vulnerabilities or were improperly configured, leaving networks exposed to breaches.
The German vendor strongly recommends that customers apply the latest patches available to protect their SAP environment.