SAP has mounted greater than a dozen vulnerabilities with its August 2025 Patch Tuesday updates, together with essential vulnerabilities.
This Patch Tuesday — or because the enterprise software program large calls it, Safety Patch Day — 15 new safety notes (fixes) have been launched, together with 4 updates to earlier fixes.
Onapsis, an organization specializing in enterprise software safety, which frequently finds SAP product vulnerabilities, identified that the seller has launched a complete of 26 new and up to date fixes for the reason that earlier Patch Tuesday.
Of those 26 fixes, 4 have been categorised as ‘sizzling information’ or ‘essential’, together with two which can be new and two updates to earlier patches. The brand new ‘sizzling information’ patches are for CVE-2025-42950 and CVE-2025-42957, which have been described as code injection points.
Based on Onapsis, they are often exploited for arbitrary code execution, which might result in a full system compromise.
CVE-2025-42950 and CVE-2025-42957 are the identical vulnerability, Onapsis mentioned, however totally different CVEs have been assigned to totally different merchandise. CVE-2025-42957 has been assigned to the S/4HANA enterprise useful resource planning (ERP) software program, whereas CVE-2025-42950 is for the older era of the ERP software program, ERP Central Part (ECC).
The brand new high-priority patches deal with a damaged authorization problem in SAP Enterprise One (CVE-2025-42951, permits an authenticated attacker to acquire admin privileges), and a number of reminiscence corruption bugs in NetWeaver Utility Server ABAP (CVE-2025-42976, can result in delicate info leaks).
The remaining new points, which have ‘low’ or ‘medium’ precedence, influence S/4HANA, NetWeaver, ABAP Platform, Cloud Connector and different merchandise.Commercial. Scroll to proceed studying.
It’s vital for organizations to put in the obtainable updates because it’s not unusual for risk actors to take advantage of SAP product vulnerabilities of their assaults.
SAP clients had been not too long ago warned {that a} NetWeaver zero-day flaw patched in April had been exploited since at the least January. NetWeaver vulnerabilities have been exploited not too long ago by each ransomware teams and cyberspies.
Associated: SAP Patches Important Flaws That Might Enable Distant Code Execution, Full System Takeover
Associated: Important Vulnerability Patched in SAP NetWeaver
Associated: SAP Patches One other Exploited NetWeaver Vulnerability
