Enterprise software program maker SAP on Tuesday introduced the discharge of 27 new and 4 up to date safety notes as a part of its July 2025 Safety Patch Day, together with six that deal with essential vulnerabilities.
On the high of the record is an replace for a observe launched in Could, which addresses 5 safety defects in its Provider Relationship Administration (SRM).
SAP initially marked the observe as high-priority, primarily based on the severity rating of crucial of those bugs. Now, it has up to date the ranking to ‘essential’, upon studying that the influence of certainly one of these points is far greater than initially decided.
The CVSS rating for the bug, tracked as CVE-2025-30012, has been up to date from 3.9 to 10/10, after it was decided that it might be abused by unauthenticated attackers to execute arbitrary OS instructions with administrative privileges.
The difficulty exists as a result of the Stay Public sale Cockpit part of SRM makes use of a deprecated java applet that will decode crafted malicious requests, ensuing within the insecure deserialization of knowledge and command execution.
The second observe in SAP’s July 2025 Safety Patch Day advisory addresses CVE-2025-42967 (CVSS rating of 9.9), a distant code execution vulnerability in S/4HANA and SCM.
An attacker with consumer stage privileges can exploit the flaw to create a brand new report containing their very own code, which may permit them to take full management of a weak SAP system.
SAP’s contemporary spherical of safety notes additionally resolves 4 critical-severity insecure deserialization flaws in varied elements of NetWeaver. Commercial. Scroll to proceed studying.
The problems, tracked as CVE-2025-42963, CVE-2025-42964, CVE-2025-42966, and CVE-2025-42980 (CVSS rating of 9.1), might be exploited by attackers with excessive privileges to compromise the applying and system, or take full management of the host system, safety agency Onapsis explains.
4 high-severity points in NetWeaver, Enterprise Objects, and Enterprise Warehouse have been additionally patched this week, and a high-priority observe launched final month to deal with a listing traversal in NetWeaver’s Visible Composer part was up to date.
SAP customers are suggested to replace their deployments as quickly as doable. Though the software program maker makes no point out of any of those vulnerabilities being exploited within the wild, menace actors are recognized to have focused SAP flaws to compromise enterprise environments.
Associated: Crucial Vulnerability Patched in SAP NetWeaver
Associated: SAP Patches One other Exploited NetWeaver Vulnerability
Associated: SAP Zero-Day Probably Exploited by Preliminary Entry Dealer
Associated: SAP Patches Crucial Code Injection Vulnerabilities
