SAP Patch Day: February 2025
Several SAP Applications affected by High Priority SAP Security Notes
Highlights of February SAP Security Notes analysis include:
- February Summary — Twenty-one new and updated SAP security patches released, including six High Priority Notes
- SAP High Priority Notes — SAP NetWeaver AS Java and SAP Business Objects with highest CVSS scores
- Onapsis Research Labs Contribution — Our team supported SAP in patching five vulnerabilities, covered by four SAP Security Notes
SAP has published twenty-one new and updated SAP Security Notes in its February Patch Day, including six High Priority Notes. Four of the nineteen new Security Notes were published in contribution with the Onapsis Research Labs.
The High Priority Notes in Detail
SAP Security Note #3417627, tagged with a CVSS score of 8.8, is an update to a Cross-Site scripting vulnerability in SAP NetWeaver AS Java that was initially released in February 2024. The updated note references the new SAP Security Note #3557138, tagged with a CVSS score of 6.1. This new note is required to patch the vulnerability completely.
SAP Security Note #3525794, tagged with a CVSS score of 8.7, patches an Improper Authorization Check vulnerability in SAP BusinessObjects (SAP BO) Business Intelligence platform. The vulnerability affects the Central Management Console of SAP BO and allows a highly privileged attacker to impersonate any user in the system through access to the secret passphrase of the trusted systems.
SAP Security Note #3567551, tagged with a CVSS score of 8.6, was patched by SAP in collaboration with the Onapsis Research Labs (ORL). Our team detected a critical Path traversal vulnerability in a publicly available servlet of SAP Supplier Relationship Management (Master Data Management Catalog). This servlet allows an unauthenticated attacker to download arbitrary files of the application and thus, get access to potentially sensitive data.
SAP Security Note #3567974, tagged with a CVSS score of 8.1, affects SAP Approuter, a service, which acts as a single point of entry for various back-end services and applications in the SAP ecosystem. The SAP Approuter Node.js package version v16.7.1 and before is vulnerable to Authentication bypass causing high impact on the confidentiality and the integrity of the application.
SAP Security Note #3567172, tagged with a CVSS score of 7.5, addresses multiple vulnerabilities in SAP Enterprise Project Connection. The application can be used to integrate data between certain SAP applications, such as Project System or Maintenance Management, and selected third-party Project Management system versions from Microsoft Project and Oracle Primavera. SAP Enterprise Project Connection uses versions of Spring Framework open-source libraries which could be vulnerable to CVE-2024-38819, CVE-2024-38820, and CVE-2024-38828. Note: According to SAP, the overall mainstream maintenance window for SAP Enterprise Project Connection 3.0 (SAP ENTERPR PROJ CONN 3.0) will end on October 14, 2025.
The ORL contributed to patching another High Priority SAP Security Note. SAP Security Note #3563929, tagged with a CVSS score of 7.1, patches an Open Redirect Vulnerability in SAP HANA extended application services. The ORL team identified a weakness in the User Account and Authentication service (UAA) that allows unauthenticated attackers to craft a malicious link that, when clicked by a victim, redirects the browser to a malicious site due to insufficient redirect URL validation.
Onapsis Contribution
In addition to the High Priority SAP Security Notes #3567551 and #3563929, the Onapsis Research Labs (ORL) team contributed to patching another three vulnerabilities on SAP’s February Patch Day.
SAP Security Note #3561264, tagged with a CVSS score of 5.3, patches an Information Disclosure vulnerability in SAP NetWeaver Application Server AS ABAP. The vulnerability affects customers who have activated the ICF services /sap/public/bc/workflow/shortcut respectively /sap/bc/workflow/shortcut. Depending on the existence of a specified user, an attacker can get access to sensitive information.
SAP Security Note #3547581, tagged with a CVS score of 4.3, patches two Missing Authorization Check vulnerabilities in SAP NetWeaver and ABAP platform (ST-PI) allowing unauthorized users to access sensitive system information.
Summary & Conclusions
With twenty-one SAP Security Notes, including six High Priority Notes, SAP February Patch Day is a more busy one. We are happy and proud that our team from the Onapsis Research Labs could once more significantly contribute to secure SAP customers all over the world.
| SAP Note | Type | Description | Priority | CVSS |
| 3417627 | Update | [CVE-2024-22126] Cross Site Scripting vulnerability in NetWeaver AS Java (User Admin Application) BC-JAS-SEC-UME | High | 8.8 |
| 3525794 | New | [CVE-2025-0064] Improper Authorization in SAP BusinessObjects Business Intelligence platform (Central Management Console) BI-BIP-AUT | High | 8.7 |
| 3567551 | New | [CVE-2025-25243] Path traversal vulnerability in SAP Supplier Relationship Management (Master Data Management Catalog) SRM-CAT-MDM | High | 8.6 |
| 3567974 | New | [CVE-2025-24876] Authentication bypass via authorization code injection in SAP Approuter BC-XS-APR | High | 8.1 |
| 3567172 | New | [CVE-2024-38819] Multiple vulnerabilities in SAP Enterprise Project Connection CA-EPC | High | 7.5 |
| 3563929 | New | [CVE-2025-24868] Open Redirect Vulnerability in SAP HANA extended application services, advanced model (User Account and Authentication Services) BC-XS-SEC | High | 7.1 |
| 3555364 | New | [CVE-2025-24875] SameSite Defense in Depth not applied for some cookies in SAP Commerce CEC-SCC-CDM-BO-FRW | Medium | 6.8 |
| 3559510 | New | [CVE-2025-24874] Missing Defense in Depth Against Clickjacking in SAP Commerce (Backoffice) CEC-SCC-CDM-BO-FRW | Medium | 6.8 |
| 3445708 | New | [CVE-2025-24867] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform (BI Launchpad) BI-BIP-INV | Medium | 6.1 |
| 3557138 | New | Update 1 to Security Note 3417627 – [CVE-2024-22126] Cross Site Scripting vulnerability in NetWeaver AS Java (User Admin Application) BC-JAS-SEC-UME | Medium | 6.1 |
| 3562336 | New | [CVE-2025-24870] Insecure Key & Secret Management vulnerability in SAP GUI for Windows BC-FES-GUI | Medium | 6.0 |
| 3540273 | New | [CVE-2024-45216] Multiple vulnerabilities in Apache Solr within SAP Commerce Cloud CEC-SCC-COM-SRC-SER | Medium | 5.5 |
| 3526203 | New | [CVE-2025-0054] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server Java EP-PDK-HBJ | Medium | 5.4 |
| 3532025 | New | [CVE-2025-25241] Missing Authorization check in SAP Fiori Apps Reference Library (My Overtime Requests) PA-FIO-OVT | Medium | 5.4 |
| 3546470 | New | [CVE-2025-23187] Missing Authorization Check in SAP NetWeaver and ABAP Platform (SDCCN) SV-SMG-SDD | Medium | 5.3 |
| 3561264 | New | [CVE-2025-23193] Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP BC-BMT-WFM | Medium | 5.3 |
| 3287784 | New | [CVE-2023-24527] Improper Access Control in SAP NetWeaver AS Java for Deploy Service BC-JAS-DPL | Medium | 5.3 |
| 3553753 | New | [CVE-2025-24872] Missing Authorization check in SAP ABAP Platform (ABAP Build Framework) BC-UPG-ADDON | Medium | 4.3 |
| 3550027 | New | [CVE-2025-24869] Information Disclosure vulnerability in SAP NetWeaver Application Server Java BC-WD-JAV | Medium | 4.3 |
| 3547581 | Update | [CVE-2025-23190] Missing Authorization check in SAP NetWeaver and ABAP platform (ST-PI) SV-SMG-TWB | Medium | 4.3 |
| 3426825 | New | [CVE-2025-23191] Cache Poisoning through header manipulation vulnerability in SAP Fiori for SAP ERP OPU-GW-COR | Low | 3.1 |
As always, the Onapsis Research Labs is already updating The Onapsis Platform to incorporate the newly published vulnerabilities into the product so that our customers can protect their businesses.
For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, subscribe to our monthly Defender’s Digest Onapsis Newsletter.