SAP Security Notes: May 2025 Patch Day
Critical Vulnerabilities in SAP Visual Composer require immediate patching
Highlights of May SAP Security Notes analysis include:
- May Summary — Twenty-two new and updated SAP security patches released, including four HotNews Notes and five High Priority Notes
- SAP Visual Composer — Critical Deserialization vulnerability must be patched immediately
- Onapsis Research Labs Contribution — Our team supported SAP in patching nine vulnerabilities, covered by six SAP Security Notes
SAP has published twenty-two new and updated SAP Security Notes in its May Patch Day, including four HotNews Notes and five High Priority Notes. Six of the nineteen new Security Notes were published in contribution with the Onapsis Research Labs.
As part of our ongoing commitment to SAP security, Onapsis Research Labs continues to lead efforts in identifying and helping remediate critical vulnerabilities across the SAP ecosystem.
The HotNews Notes in Detail
Critical SAP Visual Composer Vulnerability (CVE-2025-31324)
SAP Security Note #3594142, tagged with the highest possible CVSS score of 10.0, was published in an emergency release by SAP on April 24. The note patches a critical Missing Authorization Check vulnerability in SAP Visual Composer, tracked under CVE-2025-31324. An emergency release was required because SAP and external research companies already identified active exploits of the vulnerability in the wild.
On April 29, 2025, CISA added the CVE to their Known Exploited Vulnerabilities Catalog.
Active Exploitation and Follow-Up Attacks
Onapsis is seeing significant activity from attackers who are using public information to trigger exploitation and abuse webshells placed by the original attackers, who have currently gone dark. The Onapsis Research Labs (ORL) and other security firms are seeing evidence of follow-up, opportunistic attackers using previously established webshells from the prior attack campaign in order to stage new attacks.
Onapsis Research Labs’ Response and Tools
The Onapsis Research Labs (ORL) has summarized all important background information about the vulnerability and related malicious activities in this blog post, including a list of IP addresses, observed in exploits of the vulnerability. Additionally, the Onapsis Research Labs (ORL) has released an open-source scanner for CVE-2025-31324 for all SAP customers. Detailed information about CVE-2025-31324 can be found here.
Further Patch for SAP Visual Composer (CVE-2025-31324)
While deconstructing the attack used around CVE-2025-31324, the Onapsis Research Labs (ORL) was able to provide more information to SAP about the adversary behavior. SAP did a fantastic job responding quickly to new information and turned around an additional patch to enhance protections for the active exploit in the wild. SAP Security Note #3604119, tagged with a CVSS score of 9.1, patches the corresponding Insecure Deserialization vulnerability. We strongly recommend to read the corresponding FAQ document 3605597 and the attached KBA Note #3593336. Since both HotNews Notes, #3594142 and #3604119, only provides automatic corrections for SAP NetWeaver Java AS 7.50, the KBA Note includes important instructions for customers operating lower versions.
Updates to Previous HotNews Notes
The HotNews Notes #3587115 and #3581961, both tagged with a CVSS score of 9.9, are updates on patches that were initially released on SAP’s April Patch Day. SAP Security Note #3587115 patches a Code Injection Vulnerability in SAP Landscape Transformation. The update now includes patches for the additional software component versions DMIS 2018 and DMIS 2020. For SAP Security Note #3581961, SAP only updated the title to point out that On-Premise installations of S/4HANA are also affected by the vulnerability.
The High Priority Notes in Detail
Multiple Vulnerabilities in SAP Supplier Relationship Management (Live Auction Cockpit)
SAP Security Note #3578900, tagged with a CVSS score of 8.6, patches five vulnerabilities in SAP Supplier Relationship Management (Live Auction Cockpit) with four of them in collaboration with the Onapsis Research Labs (ORL). The vulnerabilities are present in an outdated version of the Live Auction Cockpit that was based on Java Applet technology. They mainly impact the confidentiality of the application. The outdated version of the cockpit has been deprecated and has been replaced in SRM_SERVER 7.0 EHP4 SP06 and in new installations of SRM 7.14. For existing installations of SRM 7.14, the affected software component version SAP LACWPS 6.0 NW7.3 can be undeployed.
Code Injection Vulnerability in SAP S/4HANA Cloud Private Edition and On Premise
SAP Security Note #3600859, tagged with a CVSS score of 8.3, patches a Code Injection vulnerability in SAP S/4HANA Cloud Private Edition and On Premise. A remote-enabled function module of the SCM Master Data Layer (MDL) application allows an unauthenticated attacker to replace arbitrary ABAP programs, including SAP standard programs. The patch disables the function module completely.
Information Disclosure in SAP Business Objects Business Intelligence Platform
SAP Security Note #3586013, tagged with a CVSS score of 7.9, addresses an Information Disclosure vulnerability in the Promotion Management Wizard (PMW) of SAP Business Objects Business Intelligence Platform. The Directory and File Dialogs provide access to certain executables that can be used to access information which would otherwise be restricted.This has high impact on confidentiality and low impact on integrity and availability of the application.
Missing Authorization Check in SAP Landscape Transformation (PCL Basis Module)
SAP Security Note #3591978, tagged with a CVSS score of 7.7, was released by SAP in collaboration with the Onapsis Research Labs. The Onapsis Research Labs (ORL) team identified a remote-enabled function module in the PCL Basis module of SAP Landscape Transformation, suffering from performing the necessary authorization checks to restrict access to the provided functionality and data.
Update to Missing Authorization Check in SAP PDCE
SAP Security Note #3483344, tagged with a CVSS score of 7.7, is the fourth update of a patch that was initially released in July 2024 in collaboration with Onapsis. The patch that fixes a Missing Authorization Check vulnerability in SAP PDCE is now available for additional software components and Support Package levels.
Onapsis Contribution
In addition to one HotNews Note and two High Priority Notes, the Onapsis Research Labs (ORL) supported SAP in patching three vulnerabilities with Medium priority.
Information Disclosure in SAP Gateway Client
SAP Security Note #3577300, tagged with a CVSS score of 6.6, patches an Information Disclosure vulnerability in the SAP Gateway Client. The Onapsis Research Labs (ORL) detected that, under certain conditions, the SAP Gateway client exposes data that could be misused to negatively impact confidentiality, integrity, and availability of the application.
Information Disclosure in SAP NetWeaver AS ABAP and ABAP Platform
SAP Security Note #3577287, tagged with a CVSS score of 6.2, addresses an Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform. Insufficient input validation on some fields in transaction SM59 allow attackers with administrative privileges to manipulate configuration settings. When accessed by a victim, sensitive information such as user credentials is exposed.
Cross-Site Scripting (XSS) in SAP Supplier Relationship Management
SAP Security Note #3588455, tagged with a CVSS score of 6.1, patches a Cross-Site Scripting (XSS) vulnerability in SAP Supplier Relationship Management. Due to missing input validation in the Master Data Management Catalogue, unauthenticated attackers are able to execute malicious scripts in the application with minor impact on its confidentiality and integrity.
Summary & Conclusions
There are two lessons learned from SAP’s May Patch Day:
1) Immediate patching of critical security vulnerabilities is a MUST. It is meanwhile common practice that whenever SAP releases a critical patch, malicious activities start. This includes the publication of detailed exploit instructions and systematic scanning of SAP systems for the vulnerability.
2) The challenges provided through malicious threat actors require collaboration of everyone in the SAP ecospace: SAP, external research companies, and SAP customers.
| SAP Note | Type | Description | Priority | CVSS |
| 3594142 | New | [CVE-2025-31324] Missing Authorization check in SAP NetWeaver (Visual Composer development server) EP-VC-INF | HotNews | 10.0 |
| 3587115 | Update | [CVE-2025-31330] Code Injection Vulnerability in SAP Landscape Transformation (Analysis Platform) CA-LT-ANA | HotNews | 9.9 |
| 3581961 | Update | [CVE-2025-27429] Code Injection Vulnerability in SAP S/4HANA (Private Cloud or On-Premise) CA-LT-ANA | HotNews | 9.9 |
| 3604119 | New | [CVE-2025-42999] Insecure Deserialization in SAP NetWeaver (Visual Composer development server) EP-VC-INF | HotNews | 9.1 |
| 3578900 | New | [CVE-2025-30018] Multiple vulnerabilities in SAP Supplier Relationship Management (Live Auction Cockpit) SRM-LA | High | 8.6 |
| 3600859 | New | [CVE-2025-43010] Code injection vulnerability in SAP S/4HANA Cloud Private Edition or On Premise(SCM Master Data Layer (MDL)) SCM-BAS-MDL | High | 8.3 |
| 3586013 | New | [CVE-2025-43000] Information Disclosure Vulnerability in SAP Business Objects Business Intelligence Platform (PMW) BI-BIP-LCM | High | 7.9 |
| 3483344 | Update | [CVE-2024-39592] Missing Authorization check in SAP PDCE FIN-BA | High | 7.7 |
| 3591978 | New | [CVE-2025-43011] Missing Authorization Check in SAP Landscape Transformation (PCL Basis) CA-LT-PCL | High | 7.7 |
| 3577300 | New | [CVE-2025-42997] Information Disclosure vulnerability in SAP Gateway Client OPU-GW-V4 | Medium | 6.6 |
| 3596033 | New | [CVE-2025-43003] Information Disclosure vulnerability in SAP S/4HANA (Private Cloud & On-Premise) CRM-MD-BP | Medium | 6.4 |
| 2719724 | New | [CVE-2025-43007] Missing Authorization check in SAP Service Parts Management (SPM) LO-SPM-X | Medium | 6.3 |
| 2491817 | New | [CVE-2025-43009] Missing Authorization check in SAP Service Parts Management (SPM) LO-SPM-OUT | Medium | 6.3 |
| 3577287 | New | [CVE-2025-31329] Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform BC-MID-RFC | Medium | 6.2 |
| 3588455 | New | [CVE-2025-43006] Cross-Site Scripting (XSS) vulnerability in SAP Supplier Relationship Management (Master Data Management Catalog) SRM-CAT-MDM | Medium | 6.1 |
| 3585992 | New | [CVE-2025-43008] Missing Authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal PY-PT | Medium | 5.8 |
| 3571096 | New | [CVE-2025-43004] Security Misconfiguration Vulnerability in SAP Digital Manufacturing (Production Operator Dashboard) MFG-DM | Medium | 5.3 |
| 3446649 | New | [CVE-2025-31328] Cross-Site Request Forgery (CSRF) vulnerability in SAP S/4 HANA (Learning Solution) PA-FIO-LSO | Medium | 4.6 |
| 3558755 | New | [CVE-2025-26662] Cross-Site Scripting (XSS) vulnerability in the SAP Data Services Management Console EIM-DS-SVR | Medium | 4.4 |
| 3574520 | New | [CVE-2025-43005] Information Disclosure vulnerability in SAP GUI for Windows BC-FES-GXT | Medium | 4.3 |
| 3227940 | New | [CVE-2025-43002] Missing Authorization check in SAP S4/HANA (OData meta-data property) MM-PUR-SVC-SES | Medium | 4.3 |
| 3359825 | New | [CVE-2025-31327] OData meta-data property entity tampering in SAP Field Logistics CA-FL-SRV | Medium | 4.3 |
As always, the Onapsis Research Labs is already updating The Onapsis Platform to incorporate the newly published vulnerabilities into the product so that our customers can protect their businesses.
For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, subscribe to our monthly Defender’s Digest Onapsis Newsletter.
Frequently Asked Questions
What is CVE-2025-31324 and why is it critical for SAP security?
CVE-2025-31324 is a critical vulnerability in SAP Visual Composer that allows unauthenticated attackers to upload arbitrary files and fully compromise affected systems. It has a CVSS score of 10.0 and is under active exploitation, making immediate patching essential.
Which SAP components are affected by CVE-2025-31324?
The vulnerability impacts SAP NetWeaver Java systems with the Visual Composer component enabled. Though not always installed by default, this component is widely used and enabled in many environments.
How is Onapsis involved in SAP vulnerability remediation?
Onapsis Research Labs collaborated with SAP to identify and help patch nine vulnerabilities in the May Patch Day release, including CVE-2025-31324. Onapsis also released an open-source scanner to help SAP customers assess exposure to the exploit.
What patches or SAP Notes address this zero-day vulnerability?
SAP Security Note #3594142 addresses the Missing Authorization Check vulnerability (CVE-2025-31324). An additional patch, SAP Note #3604119, mitigates related deserialization risks. Customers should also review KBA Note #3593336 and FAQ Note #3605597.
What is the risk of delaying patching these SAP HotNews Notes?
Delaying patching exposes SAP systems to known, actively exploited vulnerabilities. Threat actors have already deployed webshells on unpatched systems, and follow-up attacks are ongoing. Prompt patching is critical to avoid compromise and maintain SAP system integrity.