SAP has released 19 new Security Notes and two updates to existing patches in its February 2025 Security Patch Day, targeting high-risk vulnerabilities across its product suite.
The updates include fixes for cross-site scripting (XSS), authentication bypasses, and authorization flaws affecting platforms like SAP NetWeaver, BusinessObjects, and SAP Commerce.
SAP strongly recommends that customers apply these patches promptly to safeguard their systems against potential exploitation.
SAP Security Update – 19 Vulnerabilities Patched
The February release prioritizes high-severity vulnerabilities, with several rated as “High Priority” based on their Common Vulnerability Scoring System (CVSS) scores. Below are some of the critical and high-priority vulnerabilities addressed:
Cross-Site Scripting in NetWeaver AS Java (CVE-2024-22126)
A high-priority vulnerability tracked as CVE-2024-22126, has been discovered in SAP NetWeaver AS Java (User Admin Application) version 7.50.
This Cross-Site Scripting (XSS) vulnerability, with a CVSS score of 8.8, allows attackers to inject malicious scripts into web applications, potentially compromising user data and system integrity. An update to this Security Note was also issued.
Improper Authorization in SAP BusinessObjects BI Platform (CVE-2025-0064)
A high-priority vulnerability, identified as CVE-2025-0064, has been discovered in the Central Management Console of SAP BusinessObjects BI Platform, versions ENTERPRISE 430 and 2025.
This “Improper Authorization” flaw, with a CVSS score of 8.7, could allow unauthorized users to access sensitive data or functionalities within the BusinessObjects platform.
Path Traversal in SAP Supplier Relationship Management (CVE-2025-25243)
A high-priority vulnerability, CVE-2025-25243, has been identified in SAP Supplier Relationship Management’s Master Data Management Catalog, version SRM_MDM_CAT 7.52.
This “Path Traversal” vulnerability, with a CVSS score of 8.6, allows attackers to manipulate file paths, potentially leading to unauthorized access or data corruption.
Authentication Bypass in SAP Approuter (CVE-2025-24876)
A high-priority vulnerability, CVE-2025-24876, affects the SAP Approuter library, versions 2.6.1 through 16.7.1.
This “Authentication Bypass” vulnerability, with a CVSS score of 8.1, allows attackers to bypass authentication mechanisms by injecting malicious authorization codes, thereby compromising application security.
Multiple Vulnerabilities in SAP Enterprise Project Connection (CVE-2024-38819)
Multiple vulnerabilities, collectively identified as CVE-2024-38819, have been discovered in SAP Enterprise Project Connection version 3.0.
This high-priority issue, with a CVSS score of 7.5, encompasses a set of vulnerabilities that could impact both system availability and data confidentiality.
Medium and Low-Priority Vulnerabilities
In addition to the high-priority issues, several medium-priority vulnerabilities were also addressed:
- Open Redirect in SAP HANA extended application services (CVE-2025-24868), CVSS Score: 7.1.
- Missing Defense-in-Depth for Clickjacking in SAP Commerce Backoffice (CVE-2025-24874), CVSS Score: 6.8.
- Information Disclosure in SAP NetWeaver Application Server ABAP (CVE-2025-23193), CVSS Score: 5.3.
- Cache Poisoning in SAP Fiori for ERP (CVE-2025-23191), CVSS Score: 3.1.
SAP emphasized the importance of addressing these vulnerabilities immediately due to their potential for exploitation by malicious actors.
The full list of Security Notes is available on the SAP Support Portal. Enterprises using SAP’s cloud services are automatically patched, while on-premise users must apply updates manually.
This month’s security updates underline the criticality of maintaining an up-to-date SAP environment to prevent potential breaches or system compromises.
Organizations using affected products should prioritize patching based on CVSS scores and operational impact while ensuring thorough testing before deployment.
PCI DSS 4.0 & Supply Chain Attack Prevention – Free Webinar