SAP Security Notes: April 2025 Patch Day
Critical Code Injection Vulnerability in SAP System Landscape Transformation(SLT) and S/4HANA
Highlights of April SAP Security Notes analysis include:
- April Summary — Twenty new and updated SAP security patches released, including three Hot News Notes and five High Priority Notes
- SAP Hot News Notes — RFC enabled Function Module allows injection of arbitrary ABAP code
- Onapsis Research Labs Contribution — Our team supported SAP in patching two vulnerabilities, including one tagged with High Priority.
SAP has published twenty new and updated SAP Security Notes in its April Patch Day, including three Hot News Notes and five High Priority Notes. Two of the seventeen new Security Notes were published in contribution with the Onapsis Research Labs.
The Hot News Notes in Detail
The two SAP Security Notes #3587115 and #3581961, tagged with a CVSS score of 9.9, fix a very critical Code Injection vulnerability that allows an attacker to generate arbitrary ABAP code in a system from remote. While the first note addresses the optional SAP Data Migration Server (DMIS) Add-On in SAP ECC, the second note patches the same vulnerability in S/4HANA. Both patches disable the same remote-enabled function module. If unpatched, the function module accepts any text as input parameter and generates an ABAP report based on this input using the INSERT REPORT statement. For a successful exploit, it only requires S_RFC authorization on the respective function module or on the corresponding function group.
SAP Security Note #3572688, tagged with a CVSS score of 9.8, patches an Authentication Bypass vulnerability in SAP Financial Consolidation. Due to an improper authentication mechanism, unauthenticated attackers can impersonate the Admin account, causing high impact on the confidentiality, integrity, and availability of the application.
The High Priority Notes in Detail
The Onapsis Research Labs (ORL) team contributed to patching a Mixed Dynamic RFC Destination vulnerability in NetWeaver Application Server ABAP. The ORL team detected that the patch for an Information Disclosure vulnerability provided by SAP Security Note #3469791 in December 2024 could be bypassed. SAP Security Note #3554667, tagged with a CVSS score of 8.5, now closes this gap. Customers who applied the workaround for the December Note through setting profile parameter rfc/dynamic_dest_api_only to 1 are not affected by the security gap. Nevertheless we strongly recommend to implement the kernel patch provided with SAP Security Note #3554667 since the workaround could have unexpected side effects on SAP standard applications.
SAP Security Note #3525794, tagged with a CVSS score of 8.8, is an updated note that was initially released in February 2025. The note patches an Improper Authorization vulnerability in SAP BusinessObjects Business Intelligence platform. The update contains some minor text updates and changes in the CVSS vector.
SAP Security Note #3590984 is tagged with a CVSS score of 8.1 and patches a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in SAP Commerce Cloud. The issue exists because SAP Commerce Cloud uses versions of Apache Tomcat that are vulnerable to CVE-2024-56337. SAP states that “SAP Commerce Cloud is not exploitable out of the box” since a successful exploit depends on a server setting that remains beyond the attacker’s control. The note lists three conditions in total that must be fulfilled and none of them apply by default. Nevertheless, patching is strongly recommended since a vulnerable scenario could lead to full compromise of the system’s confidentiality, integrity, and availability.
SAP Security Note #3581811 addresses SAP NetWeaver Application Server ABAP and ABAP Platform. The note is tagged with a CVSS score of 7.7 and patches a Directory Traversal vulnerability. The affected remote-enabled function module has been improved by implementing multiple security measures. In addition to an extended authorization check, some sensitive directories are explicitly excluded now and relative path names are rejected.
Another Directory Traversal vulnerability, also tagged with a CVSS score of 7.7, is patched with SAP Security Note #2927164. This vulnerability affects SAP Capital Yield Tax Management and allows a low privileged attacker to read files from directories which they couldn’t access otherwise.
Onapsis Contribution
In addition to the High Priority SAP Security Note #3554667, the Onapsis Research Labs (ORL) team contributed to patching an Information Disclosure vulnerability in SAP KMC WPC.
SAP Security Note #3568307, tagged with a CVSS score of 5.3, patches the issue. Keeping unpatched, unauthenticated attackers can start a parameter query from remote to retrieve usernames which could expose sensitive information causing low impact on confidentiality of the application.
Summary & Conclusions
With twenty SAP Security Notes, including three Hot News Notes and five High Priority Notes, SAP April Patch Day is a more busy one. We are happy and proud that our team from the Onapsis Research Labs could once more contribute to secure SAP customers all over the world.
| SAP Note | Type | Description | Priority | CVSS |
| 3587115 | New | [CVE-2025-31330] Code Injection Vulnerability in SAP Landscape Transformation (Analysis Platform) CA-LT-ANA | Hot News | 9.9 |
| 3581961 | New | [CVE-2025-27429] Code Injection Vulnerability in SAP S/4HANA (Private Cloud) CA-LT-ANA | Hot News | 9.9 |
| 3572688 | New | [CVE-2025-30016] Authentication Bypass Vulnerability in SAP Financial Consolidation EPM-BFC-TCL-ADM-SEC | Hot News | 9.8 |
| 3525794 | Update | [CVE-2025-0064] Improper Authorization in SAP BusinessObjects Business Intelligence platform BI-BIP-AUT | High | 8.8 |
| 3554667 | New | [CVE-2025-23186] Mixed Dynamic RFC Destination vulnerability through Remote Function Call (RFC) in SAP NetWeaver Application Server ABAP BC-MID-RFC | High | 8.5 |
| 3590984 | New | [CVE-2024-56337] Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat within SAP Commerce Cloud CEC-SCC-CDM-CKP-COR | High | 8.1 |
| 3581811 | New | [CVE-2025-27428] Directory Traversal vulnerability in SAP NetWeaver and ABAP Platform (Service Data Collection) SV-SMG-SDD | High | 7.7 |
| 2927164 | New | [CVE-2025-30014] Directory Traversal vulnerability in SAP Capital Yield Tax Management FS-CYT | High | 7.7 |
| 3543274 | New | [CVE-2025-26654] Potential information disclosure vulnerability in SAP Commerce Cloud (Public Cloud) CEC-SCC-CLA-ENV-NWC | Medium | 6.8 |
| 3571093 | New | [CVE-2025-30013] Code Injection vulnerability in SAP ERP BW Business Content BW-BCT-WEB | Medium | 6.7 |
| 3565751 | New | [CVE-2025-31332] Insecure File permissions vulnerability in SAP BusinessObjects Business Intelligence Platform BI-BIP-INS | Medium | 6.6 |
| 3568307 | New | [CVE-2025-26657] Information Disclosure vulnerability in SAP KMC WPC EP-KM-CM | Medium | 5.3 |
| 3559307 | New | [CVE-2025-26653] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML) BC-FES-WGU | Medium | 4.7 |
| 3558864 | New | [CVE-2025-30017] Missing Authorization check in SAP Solution ManagerSV-SMG-IMP | Medium | 4.4 |
| 3525971 | Update | [CVE-2025-31333] Odata meta-data tampering in SAP S4CORE entity PP-PI-MD-PRV | Medium | 4.3 |
| 3577131 | New | [CVE-2025-31331] Authorization Bypass vulnerability in SAP NetWeaver CA-GTF-TS-GMA | Medium | 4.3 |
| 3568778 | New | [CVE-2025-27437] Missing Authorization check in SAP NetWeaver Application Server ABAP (Virus Scan Interface) BC-SEC-VIR | Medium | 4.3 |
| 3539465 | New | [CVE-2025-27435] Information Disclosure Vulnerability in SAP Commerce Cloud CEC-SCC-COM-PRO-CUC | Medium | 4.2 |
| 3565944 | New | [CVE-2025-30015] Memory Corruption vulnerability in SAP NetWeaver and ABAP Platform (Application Server ABAP) BC-DB-DBI | Medium | 4.1 |
| 3561861 | Update | [CVE-2025-27430] Server Side Request Forgery (SSRF) in SAP CRM and SAP S/4 HANA (Interaction Center) CRM-IC-BF | Low | 3.5 |
As always, the Onapsis Research Labs is already updating The Onapsis Platform to incorporate the newly published vulnerabilities into the product so that our customers can protect their businesses.
For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, subscribe to our monthly Defenders Digest Onapsis Newsletter on LinkedIn.