SAP launched a complete safety replace on August twelfth, 2025, addressing 15 new vulnerabilities throughout its enterprise software program portfolio, together with three vital code injection flaws that pose vital dangers to organizations worldwide.
The month-to-month Safety Patch Day additionally included 4 updates to beforehand launched safety notes, demonstrating SAP’s ongoing dedication to addressing rising threats in its enterprise functions.
Key Takeaways1. 3 code injection vulnerabilities in S/4HANA and Panorama Transformation enable distant code execution.2. Low assault complexity with minimal privileges makes these flaws simply exploitable for system compromise.3. 15 complete vulnerabilities throughout NetWeaver, Enterprise One, and core SAP platforms requiring speedy patching.
Among the many most regarding discoveries are injection vulnerabilities affecting core SAP S/4HANA methods and the SAP Panorama Transformation platform, every carrying a most CVSS rating of 9.9.
These vital vulnerabilities allow distant code execution with minimal consumer privileges, doubtlessly permitting attackers to compromise total SAP landscapes and entry delicate enterprise knowledge.
Essential Code Injection Vulnerabilities
The three vital vulnerabilities recognized on this patch cycle characterize a number of the most extreme safety dangers ever documented in SAP methods.
CVE-2025-42957 impacts SAP S/4HANA Personal Cloud and On-Premise installations throughout variations S4CORE 102 by way of 108, enabling authenticated attackers to execute arbitrary code with elevated privileges.
Equally, CVE-2025-42950 targets the SAP Panorama Transformation Evaluation Platform, affecting a number of DMIS variations from 2011_1_700 to 2020.
The third vital flaw, CVE-2025-27429, represents an up to date safety notice initially launched in April 2025, indicating that extra assault vectors or incomplete remediation could have been found because the preliminary patch.
These injection vulnerabilities exploit insufficient enter validation mechanisms inside SAP’s ABAP runtime surroundings, permitting malicious actors to inject and execute unauthorized code by way of network-accessible interfaces.
The assault complexity is rated as low (AC:L), requiring solely low-level privileges (PR:L) and no consumer interplay (UI:N), making these vulnerabilities significantly enticing to cybercriminals.
The scope designation of “Modified” (S:C) signifies that profitable exploitation might impression sources past the weak part, doubtlessly main to finish system compromise.
Authorization and Injection Flaws
Past the vital injection vulnerabilities, this patch cycle addresses a various vary of safety weaknesses spanning authorization bypasses, cross-site scripting (XSS), and data disclosure points.
CVE-2025-42951 in SAP Enterprise One SLD represents a high-severity damaged authorization vulnerability with a CVSS rating of 8.8, affecting each B1_ON_HANA 10.0 and SAP-M-BO 10.0 variations.
The SAP NetWeaver Utility Server ABAP ecosystem faces a number of safety challenges, together with CVE-2025-42976, addressing a number of vulnerabilities in BIC Doc performance and several other XSS vulnerabilities affecting totally different platform parts.
Medium-severity vulnerabilities embrace listing traversal flaws in S/4HANA Financial institution Communication Administration (CVE-2025-42946) and HTML injection points in NetWeaver Utility Server ABAP (CVE-2025-42945).
Further considerations emerge from lacking authorization checks throughout varied SAP_BASIS variations and data disclosure vulnerabilities within the Web Communication Supervisor part.
CVE IDTitleCVSS 3.1 ScoreSeverityCVE-2025-42957Code Injection vulnerability in SAP S/4HANA (Personal Cloud or On-Premise)9.9CriticalCVE-2025-42950Code Injection Vulnerability in SAP Panorama Transformation (Evaluation Platform)9.9CriticalCVE-2025-27429Code Injection Vulnerability in SAP S/4HANA (Personal Cloud or On-Premise)9.9CriticalCVE-2025-42951Broken Authorization in SAP Enterprise One (SLD)8.8HighCVE-2025-42976Multiple vulnerabilities in SAP NetWeaver Utility Server ABAP (BIC Doc)8.1HighCVE-2025-42975Multiple vulnerabilities in SAP NetWeaver Utility Server ABAP (BIC Doc)8.1HighCVE-2025-42946Directory Traversal vulnerability in SAP S/4HANA (Financial institution Communication Administration)6.9MediumCVE-2025-42945HTML Injection vulnerability in SAP NetWeaver Utility Server ABAP6.1MediumCVE-2025-42942Cross-Web site Scripting (XSS) vulnerability in SAP NetWeaver Utility Server for ABAP6.1MediumCVE-2025-42948Cross-Web site Scripting (XSS) vulnerability in SAP NetWeaver ABAP Platform6.1MediumCVE-2025-0059Information Disclosure vulnerability in SAP NetWeaver Utility Server ABAP6.0MediumCVE-2025-42936Missing Authorization examine in SAP NetWeaver Utility Server for ABAP5.4MediumCVE-2025-23194Missing Authentication examine in SAP NetWeaver Enterprise Portal (OBN part)5.3MediumCVE-2025-42949Missing Authorization examine in ABAP Platform4.9MediumCVE-2025-42943Information Disclosure in SAP GUI for Windows4.5MediumCVE-2025-42934CRLF Injection vulnerability in SAP S/4HANA (Provider bill)4.3MediumCVE-2025-31331Authorization Bypass vulnerability in SAP NetWeaver4.3MediumCVE-2025-42935Information Disclosure vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform4.1MediumCVE-2025-42955Missing authorization examine in SAP Cloud Connector3.5LowCVE-2025-42941Reverse Tabnabbing vulnerability in SAP Fiori (Launchpad)3.5Low
The safety notes additionally tackle client-side vulnerabilities, together with a reverse tabnabbing subject in SAP Fiori Launchpad (CVE-2025-42941) and data disclosure in SAP GUI for Home windows (CVE-2025-42943).
Organizations operating SAP methods should prioritize the speedy deployment of those safety patches, significantly for the three vital code injection vulnerabilities that might allow full system compromise.
SAP recommends that prospects go to their Assist Portal and apply patches primarily based on precedence scores to guard their enterprise landscapes.
Enhance your SOC and assist your crew shield what you are promoting with free top-notch menace intelligence: Request TI Lookup Premium Trial.
