SAP Patch Day: January 2025
Two HotNews Notes released for SAP NetWeaver AS for ABAP and ABAP Platform
Highlights of January SAP Security Notes analysis include:
- January Summary — Thirteen new SAP security patches released, including two HotNews Notes and three High Priority Notes
- SAP HotNews Notes — Critical vulnerabilities in SAP NetWeaver AS for ABAP and ABAP Platform can lead to complete system compromise
- Onapsis Research Labs Contribution — Our team supported SAP in patching the two HotNews vulnerabilities and one Medium Priority vulnerability
SAP has published thirteen new SAP Security Notes on its first Patch Day in 2025, including two HotNews Notes and three High Priority Notes. Three of the thirteen Security Notes were published in contribution with the Onapsis Research Labs.
The HotNews Notes in detail
The Onapsis Research Labs (ORL) supported SAP in patching two critical vulnerabilities in SAP NetWeaver AS for ABAP and ABAP Platform. Both are tagged with a CVSS score of 9.9 and affect HTTP communication scenarios.
SAP Security Note #3537476 patches an Improper Authentication vulnerability allowing an attacker to steal credentials from an internal RFC communication between server A (HTTP client) and server B (serving the request) of the same system. These credentials can be used in a subsequent step to start a new HTTP communication between an external program C and server A pretending to be an internal caller against server A. This causes a high impact on the confidentiality, integrity, and availability of the application.
The second HotNews vulnerability was detected in a test report that was unintentionally shipped to customers. Under certain conditions SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework) allow an attacker to read decrypted, plaintext credential information required to communicate to other systems. This does not only pose the local system at high risk but can also have a serious impact on other systems. The patch included in SAP Security Note #3550708 disables the vulnerable report.
The High Priority Notes in detail
SAP Security Note #3550816, tagged with a CVSS score of 8.8, deactivates some remote-enabled function modules which could be used by an attacker to inject SQL code when accessing Informix databases. This allows them to gain control over the data in the affected database, leading to complete compromise of confidentiality, integrity and availability.
SAP Security Note #3474398, patches two vulnerabilities in SAP BusinessObjects Business Intelligence Platform:
An Information disclosure vulnerability, tagged with a CVSS score of 8.7, allows an unauthenticated attacker to perform session hijacking over the network without any user interaction. Attackers can access and modify data of the affected user in the application and thus cause a high impact on the confidentiality and the integrity of the system.
A Code Injection vulnerability, tagged with a CVSS score of 6.5, enables an authenticated user with restricted access to inject malicious JS code. The code can be used to read sensitive information from the server and send it to the attacker. In a subsequent step, the attacker could use this information to impersonate a highly privileged user causing a high impact on confidentiality and integrity of the application.
SAP Security Note #3542533, tagged with a CVSS score of 7.8, describes a DLL Hijacking vulnerability in SAPSetup. The vulnerability allows an attacker with either local user privileges or with access to a compromised corporate user’s Windows account to gain higher privileges. This can lead to high impact on confidentiality, integrity and availability of the Windows server since the higher privileges could be used to move laterally within the network and compromise the active directory of the company.
Onapsis Contribution
In addition to the two HotNews vulnerabilities, our ORL team contributed to patching some remote-enabled function modules which do not check for appropriate authorizations. This allows an authenticated attacker to obtain information that would otherwise be restricted, resulting in a low impact on the confidentiality of the application. SAP Security Note #3550674, tagged with a CVSS score of 4.3 patches the function modules through deactivation.
Summary & Conclusions
2025 starts for SAP customers with the announcement of some critical vulnerabilities that require immediate patching. Since they affect SAP NetWeaver AS for ABAP and ABAP Platform, most of the SAP systems are exposed at high risk when keeping them unpatched.
| SAP Note | Type | Description | Priority | CVSS |
| 3537476 | New | [CVE-2025-0070] Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform BC-MID-ICF | HotNews | 9.9 |
| 3550708 | New | [CVE-2025-0066] Information Disclosure vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform(Internet Communication Framework) BC-MID-ICF | HotNews | 9.9 |
| 3550816 | New | [CVE-2025-0063] SQL Injection vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform BC-DB-INF | High | 8.8 |
| 3474398 | New | [CVE-2025-0061] Multiple vulnerabilities in SAP BusinessObjects Business Intelligence Platform BI-BIP-INV | High | 8.7 |
| 3542533 | New | [CVE-2025-0069] DLL Hijacking vulnerability in SAPSetup BC-FES-INS | High | 7.8 |
| 3542698 | New | [CVE-2025-0058] Information Disclosure vulnerability in SAP Business Workflow and SAP Flexible Workflow BC-BMT-WFM | Medium | 6.5 |
| 3540108 | New | [CVE-2025-0067] Missing Authorization check in SAP NetWeaver Application Server Java BC-WD-JAV | Medium | 6.3 |
| 3502459 | New | [CVE-2025-0056] Information Disclosure vulnerability in SAP GUI for Java BC-FES-JAV | Medium | 6.0 |
| 3472837 | New | [CVE-2025-0055] Information Disclosure vulnerability in SAP GUI for Windows BC-FES-GUI | Medium | 6.0 |
| 3503138 | New | [CVE-2025-0059] Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML) BC-FES-WGU | Medium | 6.0 |
| 3536461 | New | [CVE-2025-0053] Information Disclosure Vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform BC-MID-ICF | Medium | 5.3 |
| 3514421 | New | [CVE-2025-0057] Cross-Site Scripting vulnerability in SAP NetWeaver AS JAVA (User Admin Application) BC-JAS-SEC-UME | Medium | 4.8 |
| 3550674 | New | [CVE-2025-0068] Missing Authorization check in Remote Function Call (RFC) in SAP NetWeaver Application Server ABAP BC-BMT-WFM | Medium | 4.3 |
As always, the Onapsis Research Labs is already updating The Onapsis Platform to incorporate the newly published vulnerabilities into the product so that our customers can protect their businesses.
For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, subscribe to our Defenders Digest Onapsis Newsletter.