SAP released a comprehensive security update on August 12th, 2025, addressing 15 new vulnerabilities across its enterprise software portfolio, including three critical code injection flaws that pose significant risks to organizations worldwide.
The monthly Security Patch Day also included four updates to previously released security notes, demonstrating SAP’s ongoing commitment to addressing emerging threats in its enterprise applications.
Key Takeaways
1. 3 code injection vulnerabilities in S/4HANA and Landscape Transformation allow remote code execution.
2. Low attack complexity with minimal privileges makes these flaws easily exploitable for system compromise.
3. 15 total vulnerabilities across NetWeaver, Business One, and core SAP platforms requiring immediate patching.
Among the most concerning discoveries are injection vulnerabilities affecting core SAP S/4HANA systems and the SAP Landscape Transformation platform, each carrying a maximum CVSS score of 9.9.
These critical vulnerabilities enable remote code execution with minimal user privileges, potentially allowing attackers to compromise entire SAP landscapes and access sensitive business data.
Critical Code Injection Vulnerabilities
The three critical vulnerabilities identified in this patch cycle represent some of the most severe security risks ever documented in SAP systems.
CVE-2025-42957 affects SAP S/4HANA Private Cloud and On-Premise installations across versions S4CORE 102 through 108, enabling authenticated attackers to execute arbitrary code with elevated privileges.
Similarly, CVE-2025-42950 targets the SAP Landscape Transformation Analysis Platform, affecting multiple DMIS versions from 2011_1_700 to 2020.
The third critical flaw, CVE-2025-27429, represents an updated security note originally released in April 2025, indicating that additional attack vectors or incomplete remediation may have been discovered since the initial patch.
These injection vulnerabilities exploit inadequate input validation mechanisms within SAP’s ABAP runtime environment, allowing malicious actors to inject and execute unauthorized code through network-accessible interfaces.
The attack complexity is rated as low (AC:L), requiring only low-level privileges (PR:L) and no user interaction (UI:N), making these vulnerabilities particularly attractive to cybercriminals.
The scope designation of “Changed” (S:C) indicates that successful exploitation could impact resources beyond the vulnerable component, potentially leading to complete system compromise.
Authorization and Injection Flaws
Beyond the critical injection vulnerabilities, this patch cycle addresses a diverse range of security weaknesses spanning authorization bypasses, cross-site scripting (XSS), and information disclosure issues.
CVE-2025-42951 in SAP Business One SLD represents a high-severity broken authorization vulnerability with a CVSS score of 8.8, affecting both B1_ON_HANA 10.0 and SAP-M-BO 10.0 versions.
The SAP NetWeaver Application Server ABAP ecosystem faces multiple security challenges, including CVE-2025-42976, addressing multiple vulnerabilities in BIC Document functionality and several XSS vulnerabilities affecting different platform components.
Medium-severity vulnerabilities include directory traversal flaws in S/4HANA Bank Communication Management (CVE-2025-42946) and HTML injection issues in NetWeaver Application Server ABAP (CVE-2025-42945).
Additional concerns emerge from missing authorization checks across various SAP_BASIS versions and information disclosure vulnerabilities in the Internet Communication Manager component.
| CVE ID | Title | CVSS 3.1 Score | Severity |
| CVE-2025-42957 | Code Injection vulnerability in SAP S/4HANA (Private Cloud or On-Premise) | 9.9 | Critical |
| CVE-2025-42950 | Code Injection Vulnerability in SAP Landscape Transformation (Analysis Platform) | 9.9 | Critical |
| CVE-2025-27429 | Code Injection Vulnerability in SAP S/4HANA (Private Cloud or On-Premise) | 9.9 | Critical |
| CVE-2025-42951 | Broken Authorization in SAP Business One (SLD) | 8.8 | High |
| CVE-2025-42976 | Multiple vulnerabilities in SAP NetWeaver Application Server ABAP (BIC Document) | 8.1 | High |
| CVE-2025-42975 | Multiple vulnerabilities in SAP NetWeaver Application Server ABAP (BIC Document) | 8.1 | High |
| CVE-2025-42946 | Directory Traversal vulnerability in SAP S/4HANA (Bank Communication Management) | 6.9 | Medium |
| CVE-2025-42945 | HTML Injection vulnerability in SAP NetWeaver Application Server ABAP | 6.1 | Medium |
| CVE-2025-42942 | Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server for ABAP | 6.1 | Medium |
| CVE-2025-42948 | Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver ABAP Platform | 6.1 | Medium |
| CVE-2025-0059 | Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP | 6.0 | Medium |
| CVE-2025-42936 | Missing Authorization check in SAP NetWeaver Application Server for ABAP | 5.4 | Medium |
| CVE-2025-23194 | Missing Authentication check in SAP NetWeaver Enterprise Portal (OBN component) | 5.3 | Medium |
| CVE-2025-42949 | Missing Authorization check in ABAP Platform | 4.9 | Medium |
| CVE-2025-42943 | Information Disclosure in SAP GUI for Windows | 4.5 | Medium |
| CVE-2025-42934 | CRLF Injection vulnerability in SAP S/4HANA (Supplier invoice) | 4.3 | Medium |
| CVE-2025-31331 | Authorization Bypass vulnerability in SAP NetWeaver | 4.3 | Medium |
| CVE-2025-42935 | Information Disclosure vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform | 4.1 | Medium |
| CVE-2025-42955 | Missing authorization check in SAP Cloud Connector | 3.5 | Low |
| CVE-2025-42941 | Reverse Tabnabbing vulnerability in SAP Fiori (Launchpad) | 3.5 | Low |
The security notes also address client-side vulnerabilities, including a reverse tabnabbing issue in SAP Fiori Launchpad (CVE-2025-42941) and information disclosure in SAP GUI for Windows (CVE-2025-42943).
Organizations running SAP systems must prioritize the immediate deployment of these security patches, particularly for the three critical code injection vulnerabilities that could enable complete system compromise.
SAP recommends that customers visit their Support Portal and apply patches based on priority ratings to protect their enterprise landscapes.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
