SAP’s July 2025 Patch Day

SAP’s July 2025 Patch Day

SAP has released its July 2025 Security Patch Day update, addressing a significant number of vulnerabilities across its enterprise software portfolio. 

The comprehensive security update includes 27 new Security Notes and 3 updates to previously released patches, with seven vulnerabilities classified as critical based on their CVSS scores. 

The most severe vulnerability, affecting SAP Supplier Relationship Management (Live Auction Cockpit), has received the maximum CVSS score of 10.0, indicating the urgent need for immediate patching across SAP environments worldwide.

Google News

Key Takeaways
1. SAP released 27 new Security Notes plus 3 updates on July 8, 2025.
2. Seven critical vulnerabilities identified, with CVE-2025-30012 scoring maximum CVSS 10.0.
3. Affects major SAP products including S/4HANA, NetWeaver, ABAP Platform, and SAPCAR.
4. Immediate patch deployment is recommended for critical authentication and injection vulnerabilities.

Critical SAP SRM Vulnerability (CVE-2025-30012)

The seven critical vulnerabilities identified in this patch cycle pose significant risks to SAP environments and require immediate administrative action. 

The most severe threat comes from CVE-2025-30012, a multiple vulnerability issue in SAP Supplier Relationship Management (Live Auction Cockpit) affecting SRM_SERVER version 7.14. 

The vulnerability is particularly concerning due to its maximum CVSS score of 10.0, indicating that it presents an extremely high risk to affected systems with potential for complete system compromise.

The vulnerability is part of a broader security concern that encompasses multiple related CVEs, including CVE-2025-30009, CVE-2025-30010, CVE-2025-30011, and CVE-2025-30018. 

This interconnected nature suggests that the vulnerability affects multiple components or functions within the Live Auction Cockpit, potentially creating multiple attack vectors that malicious actors could exploit simultaneously.

Six Additional Critical Flaws

Six additional critical vulnerabilities, all scoring 9.1 on the CVSS scale, target various components of SAP’s infrastructure.

CVE-2025-42967 addresses a code injection vulnerability in SAP S/4HANA and SAP SCM (Characteristic Propagation), affecting multiple versions including SCMAPO 713-714, S4CORE 102-104, and S4COREOP 105-108. 

The remaining critical vulnerabilities focus on insecure deserialization issues across SAP NetWeaver Enterprise Portal components, including CVE-2025-42980 in the Federated Portal Network, CVE-2025-42964 in Portal Administration, CVE-2025-42966 in XML Data Archiving Service, and CVE-2025-42963 in the Log Viewer application for Java environments.

High and Medium Severity Flaws

High-priority vulnerabilities include CVE-2025-42959, which addresses missing authentication checks in SAP NetWeaver ABAP Server and ABAP Platform across multiple SAP_BASIS versions ranging from 700 to 915. 

This vulnerability scores 8.1 on the CVSS scale and affects a broad range of SAP installations.

Medium-priority vulnerabilities encompass a diverse range of security issues, including Cross-Site Scripting (XSS) vulnerabilities such as CVE-2025-42969 in SAP NetWeaver Application Server ABAP and CVE-2025-42962 in SAP Business Warehouse. 

Directory traversal vulnerabilities affecting SAPCAR (CVE-2025-42970) and privilege escalation issues (CVE-2025-43001) further demonstrate the comprehensive nature of this security update. 

The SAPCAR utility, essential for SAP package management, requires attention across versions 7.53 and 7.22EXT to address multiple security concerns including memory corruption (CVE-2025-42971) and insecure file operations.

CVEs Product Type CVSS 3.1 Score
CVE-2025-30012 SAP Supplier Relationship Management (Live Auction Cockpit) Multiple Vulnerabilities 10.0 (Critical)
CVE-2025-42967 SAP S/4HANA and SAP SCM (Characteristic Propagation) Code Injection 9.1 (Critical)
CVE-2025-42980 SAP NetWeaver Enterprise Portal Federated Portal Network Insecure Deserialization 9.1
(Critical)
CVE-2025-42964 SAP NetWeaver Enterprise Portal Administration Insecure Deserialization 9.1 (Critical)
CVE-2025-42966 SAP NetWeaver (XML Data Archiving Service) Insecure Java Deserialization 9.1 (Critical)
CVE-2025-42963 SAP NetWeaver Application Server for Java (Log Viewer) Unsafe Java Deserialization 9.1 (Critical)
CVE-2025-42959 SAP NetWeaver ABAP Server and ABAP Platform Missing Authentication Check 8.1 (High)
CVE-2025-42953 SAP NetWeaver Application Server for ABAP Missing Authorization Check 8.1 (High)
CVE-2024-53677 SAP Business Objects Business Intelligence Platform (CMC) Insecure File Operations 8.0 (High)
CVE-2025-42952 SAP Business Warehouse and SAP Plug-In Basis Missing Authorization Check 7.7 (High)
CVE-2025-42977 SAP NetWeaver Visual Composer Directory Traversal 7.6 (High)
CVE-2025-43001 SAPCAR Multiple Privilege Escalation 6.9 (Medium)
CVE-2025-42993 SAP S/4HANA (Enterprise Event Enablement) Missing Authorization Check 6.7 (Medium)
CVE-2025-42981 SAP NetWeaver Application Server ABAP Multiple Vulnerabilities 6.1(Medium)
CVE-2025-42969 SAP NetWeaver Application Server ABAP and ABAP Platform Cross-Site Scripting (XSS) 6.1 (Medium)
CVE-2025-42962 SAP Business Warehouse (Business Explorer Web 3.5 loading animation) Cross-Site Scripting (XSS) 6.1(Medium)
CVE-2025-42985 SAP BusinessObjects Content Administrator workbench Open Redirect 6.1(Medium)
CVE-2025-42970 SAPCAR Directory Traversal 5.8 (Medium)
CVE-2025-42979 SAP GUI for Windows Insecure Key & Secret Management 5.6(Medium)
CVE-2025-42973 SAP Data Services (DQ Report) Cross-Site Scripting (XSS) 5.4 (Medium)
CVE-2025-42968 SAP NetWeaver (RFC enabled function module) Missing Authorization Check 5.0 (Medium)
CVE-2025-42961 SAP NetWeaver Application Server for ABAP Missing Authorization Check 4.9 (Medium)
CVE-2025-42960 SAP Business Warehouse and SAP BW/4HANA BEx Tools Missing Authorization Check 4.3 (Medium)
CVE-2025-42986 SAP NetWeaver and ABAP Platform Missing Authorization Check 4.3 (Medium)
CVE-2025-42974 SAP NetWeaver and ABAP Platform (SDCCN) Missing Authorization Check 4.3 (Medium)
CVE-2025-31326 SAP BusinessObjects Business Intelligence Platform (Web Intelligence) HTML Injection 4.1 (Medium)
CVE-2025-42965 SAP BusinessObjects BI Platform Central Management Console Promotion Management Application Server Side Request Forgery (SSRF) 4.1(Medium)
CVE-2025-42971 SAPCAR Memory Corruption 4.0 (Medium)
CVE-2025-42978 SAP NetWeaver Application Server Java Insufficiently Secure Hostname Verification for Outbound TLS Connections 3.5 (Low)
CVE-2025-42954 SAP NetWeaver Business Warehouse (CCAW application) Denial of Service (DoS) 2.7 (Low)

Immediate Patching Required

SAP has emphasized the critical importance of applying these security patches immediately, particularly given the severity of the identified vulnerabilities. 

The company strongly recommends that customers visit the Support Portal and prioritize patch implementation to protect their SAP landscape from potential security breaches. 

The broad scope of affected products, ranging from SAP_BASIS components to specialized applications like Business Objects Business Intelligence Platform, underscores the importance of comprehensive patch management strategies.

The updates address fundamental security concerns, including authentication bypasses, authorization failures, and injection vulnerabilities that could potentially compromise entire SAP environments.

Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free


Source link