SAP June 2025 Patch Day

SAP released its monthly Security Patch Day update addressing 14 critical vulnerabilities across multiple enterprise products. 

The comprehensive security update includes patches addressing critical authorization bypass issues and cross-site scripting vulnerabilities, with CVSS scores ranging from 3.0 to 9.6. 

Organizations using SAP enterprise solutions are strongly advised to prioritize the implementation of these security patches to protect their business-critical landscapes from potential exploitation.

Critical & High-severity Vulnerabilities Patched

The most severe vulnerability addressed in this patch cycle is CVE-2025-42989, a missing authorization check in SAP NetWeaver Application Server for ABAP. 

This critical flaw carries a maximum CVSS score of 9.6 and affects KERNEL versions 7.89, 7.93, 9.14, and 9.15. 

The vulnerability could potentially allow unauthorized access to sensitive business functions, making immediate patching essential for organizations running these kernel versions.

CVE-2025-42982 represents a high-priority information disclosure vulnerability in SAP GRC (AC Plugin) with a CVSS score of 8.8. 

This security flaw affects GRCPINW versions V1100_700 and V1100_731, potentially exposing sensitive governance, risk, and compliance data to unauthorized users.

Additionally, CVE-2025-42983 addresses a missing authorization check in SAP Business Warehouse and SAP Plug-In Basis, scoring 8.5 on the CVSS scale and affecting multiple versions, including PI_BASIS 2006_1_700 through 731, 740, and SAP_BW versions 750 through 915.

Medium Severity Vulnerabilities

Several medium-priority vulnerabilities were addressed, focusing primarily on SAP S/4HANA applications. 

CVE-2025-42993 addresses a missing authorization check in SAP S/4HANA’s Enterprise Event Enablement functionality, impacting SAP_GWFND versions 757 and 758, with a CVSS score of 6.7. 

This vulnerability could potentially allow unauthorized access to enterprise event processing capabilities.

CVE-2025-31325 addresses a Cross-Site Scripting vulnerability in SAP NetWeaver’s ABAP Keyword Documentation, specifically impacting SAP_BASIS version 758 with a CVSS score of 5.8. 

The patch also includes fixes for CVE-2025-42984, which resolves authorization check issues in SAP S/4HANA’s Manage Central Purchase Contract application affecting S4CORE versions 106, 107, and 108.

Additional medium-priority patches include CVE-2025-42998 for security misconfiguration in SAP Business One Integration Framework and CVE-2025-42987 addressing authorization checks in SAP S/4HANA’s bank statement processing rules functionality.

Low Severity Vulnerabilities

CVE-2025-42988 addresses Server-Side Request Forgery in SAP Business Objects Business Intelligence Platform, affecting ENTERPRISE versions 430, 2025, and 2027 with a CVSS score of 3.7. 

CVE-2025-42990 resolves HTML injection issues in unprotected SAPUI5 applications across multiple UI versions.

SAP strongly recommends that customers visit the Support Portal immediately to download and apply these critical security patches. 

Organizations should prioritize patches based on their CVSS scores and the criticality of affected systems within their enterprise landscape. 

Regular monitoring of SAP Security Patch Day releases remains essential for maintaining robust cybersecurity postures in enterprise environments.

Live Credential Theft Attack Unmask & Instant Defense – Free Webinar