SAP released critical security updates on August 12, 2025, addressing 15 vulnerabilities across its enterprise software portfolio, with three severe code injection flaws receiving the highest CVSS scores of 9.9.
The monthly Security Patch Day also included four updates to previously released security notes, highlighting the company’s ongoing commitment to protecting customer environments against evolving threats.
Critical Code Injection Vulnerabilities Lead Security Updates
The most severe vulnerabilities patched this month are three code injection flaws that could allow attackers to execute arbitrary code with elevated privileges.
Two new critical vulnerabilities, CVE-2025-42957 affecting SAP S/4HANA and CVE-2025-42950 impacting SAP Landscape Transformation, both received maximum severity ratings.
Additionally, SAP updated a previously disclosed code injection vulnerability (CVE-2025-27429) in S/4HANA that was first patched in April 2025.
| CVE ID | Product | Vulnerability Type | Priority | CVSS Score |
| CVE-2025-42957 | SAP S/4HANA | Code Injection | Critical | 9.9 |
| CVE-2025-42950 | SAP Landscape Transformation | Code Injection | Critical | 9.9 |
| CVE-2025-27429 | SAP S/4HANA | Code Injection | Critical | 9.9 |
| CVE-2025-42951 | SAP Business One | Broken Authorization | High | 8.8 |
| CVE-2025-42976 | SAP NetWeaver AS ABAP | Multiple Vulnerabilities | High | 8.1 |
| CVE-2025-42946 | SAP S/4HANA | Directory Traversal | Medium | 6.9 |
These injection vulnerabilities are particularly concerning as they affect core SAP products widely deployed across enterprise environments.
The flaws allow network-based attacks with low complexity, requiring only low-level privileges and no user interaction, making them attractive targets for cybercriminals seeking to compromise SAP landscapes.
The August patch cycle addresses vulnerabilities spanning multiple SAP products and severity levels:
Beyond the critical injection flaws, SAP addressed various other security issues including cross-site scripting (XSS) vulnerabilities in NetWeaver Application Server, authorization bypass issues, and information disclosure flaws.
Notably, the patch cycle includes fixes for SAP GUI for Windows and SAP Cloud Connector, demonstrating the broad scope of SAP’s security maintenance efforts.
The company also addressed multiple XSS vulnerabilities with CVSS scores of 6.1, affecting NetWeaver Application Server components.
While these vulnerabilities require user interaction to exploit, they could still facilitate phishing attacks or data theft in targeted scenarios.
SAP strongly recommends that customers immediately visit the Support Portal and apply these patches on a priority basis, particularly for the three critical code injection vulnerabilities.
Organizations should focus first on patching internet-facing SAP systems and those processing sensitive data.
The company has also published comprehensive security configuration guidelines to help organizations maintain robust security postures across their SAP portfolios.
Given the severity of the injection vulnerabilities and their potential for remote exploitation, security teams should treat this patch cycle as urgent and coordinate with SAP administrators to ensure rapid deployment across all affected systems.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
Source link
