SAP Patch Day: March 2025
Three new High Priority Notes and one Important Best Practice CVSS 0.0 Note
Highlights of March SAP Security Notes analysis include:
- March Summary—Twenty-five new and updated SAP security patches released, including five High Priority Notes
- Transaction SA38 patched—Vulnerability allows execution of ABAP Class Builder functionality leading to high impact on Confidentiality, Integrity, and Availability
- Best Practice Note for SAP BTP—Special attention required for customers developing Java applications implemented with the Spring Framework
SAP has released twenty-five SAP Security Notes on its March Patch Day (including the notes that were released or updated since last Patch Tuesday) This includes five High Priority Notes.
Two of the five High Priority Notes are updates on earlier released patches.
SAP Security Note #3567974, tagged with a CVSS score of 8.1, was initially released on SAP’s February Patch Day and patches a vulnerability in SAP App Router. The ‘Symptom’ section of the note was updated and an FAQ note was added (#3571636).
SAP Security Note #3483344 was extended by corrections for additional affected software components. The note patches a critical Missing Authorization Check vulnerability in SAP PDCE that can lead to high impact on the application’s confidentiality.
The new High Priority Notes in Detail
SAP Security Note #3563927, tagged with a CVSS score of 8.8, affects a wide range of SAP customers. It addresses a critical vulnerability in transaction SA38 of an SAP NetWeaver Application Server ABAP that allows access to functionality of the Class Builder which should be restricted to the ABAP Development Workbench. Keeping unpatched, all applications are exposed at high risk with regard to their confidentiality, integrity, and availability.
SAP Security Note #3569602, tagged with a CVSS score of 8.8, patches a Cross-Site Scripting(XSS) vulnerability in SAP Commerce, caused by the open source library swagger-ui. The explore feature of Swagger UI which was vulnerable to the DOM-based XSS attack, allows an unauthenticated attacker to inject malicious code from remote sources. A successful exploit can have a high negative impact on the confidentiality, integrity, and availability of the application. Fortunately, SAP points out that the exploit requires significant user interaction as it needs to convince a victim to place a malicious payload into an input field. As a workaround, customers can remove any use of swagger-ui in SAP Commerce or block the access to swagger consoles.
SAP Security Note #3566851, tagged with a CVSS score of 8.6, patches a Denial of Service (DOS) and an Unchecked Error Condition vulnerability in SAP Commerce Cloud. The application includes a version of Apache Tomcat that is vulnerable to CVE-2024-38286 and CVE-2024-52316. The note provides updates that include patched Tomcat versions.
About the CVSS 0.0 SAP Security Note
SAP Security #3576540, tagged with a CVSS score of 0.0 (no, it’s not a typo), provides best practice information about custom Java applications in SAP BTP implemented with the Spring Framework. For such applications, developers often use the Spring Boot Activator, a tool exposing various URL endpoints that offer real-time application data, aiding in debugging and monitoring. However, without proper security measures, these endpoints can introduce serious vulnerabilities. The note lists the affected endpoints in detail and describes detailed conditions for affected applications.
Summary & Conclusions
With twenty-five SAP Security Notes, including five High Priority Notes, SAP March Patch Day is again a busy one. It is the first Patch Day that comes with a CVSS 0.0 note. However, SAP BTP customers will agree that this note is a perfect example of not just looking at CVSS scores when it comes to prioritizing SAP Security Notes.
| SAP Note | Type | Description | Priority | CVSS |
| 3569602 | New | [CVE-2025-27434] Cross-Site Scripting (XSS) vulnerability in SAP Commerce (Swagger UI) CEC-SCC-COM-BC-BCOM | High | 8.8 |
| 3563927 | New | [CVE-2025-26661] Missing Authorization check in SAP NetWeaver (ABAP Class Builder) BC-DWB-TOO-CLA | High | 8.8 |
| 3566851 | New | [CVE-2024-38286] Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud CEC-SCC-COM-BBA-COM | High | 8.6 |
| 3567974 | Update | [CVE-2025-24876] Authentication bypass via authorization code injection in SAP Approuter BC-XS-APR | High | 8.1 |
| 3483344 | Update | [CVE-2024-39592] Missing Authorization check in SAP PDCE FIN-BA | High | 7.7 |
| 3561045 | New | [CVE-2025-26658] Broken Authentication in SAP Business One (Service Layer) SBO-CRO-SEC | Medium | 6.8 |
| 3552824 | New | [CVE-2025-26659] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML) BC-FES-WGU | Medium | 6.1 |
| 3562390 | New | [CVE-2025-25242] Cross-Site Scripting (XSS) in SAP NetWeaver Application Server ABAP BC-FES-WGU | Medium | 6.1 |
| 3552144 | New | [CVE-2025-25244] Missing Authorization Check in SAP Business Warehouse (Process Chains) BW-WHM-DST-PC | Medium | 5.7 |
| 3557469 | New | [CVE-2025-25245] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence) BI-RA-WBI-FE-HTM | Medium | 5.4 |
| 3567246 | New | [CVE-2025-27431] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server Java BC-WD-UR | Medium | 5.4 |
| 3561792 | New | [CVE-2025-23194] Missing Authentication check in SAP NetWeaver Enterprise Portal (OBN component) EP-PIN-OBN | Medium | 5.3 |
| 3558132 | New | [CVE-2025-0071] Information Disclosure vulnerability in SAP Web Dispatcher and Internet Communication Manager BC-CST-IC | Medium | 4.9 |
| 3557459 | New | [CVE-2025-0062] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence) BI-RA-WBI-FE-HTM | Medium | 4.7 |
| 3474392 | New | [CVE-2025-26656] Missing Authorization check in S/4HANA (Manage Purchasing Info Records) MM-FIO-PUR-IR | Medium | 4.3 |
| 3565835 | New | [CVE-2025-27433] Broken Access Control vulnerabilities in SAP S/4HANA (Manage Bank Statements) FI-FIO-AR-PAY | Medium | 4.3 |
| 3557655 | New | [CVE-2025-26660] Broken Access Control in SAP Fiori apps (Posting Library) FI-FIO-GL-TRA | Medium | 4.3 |
| 3557131 | New | [CVE-2025-23188] Missing Authorization check in SAP S/4HANA (RBD) FS-RBD | Medium | 4.3 |
| 3475427 | Update | [CVE-2024-41736] Information Disclosure vulnerability in SAP Permit to Work PM-FIO-WCM | Medium | 4.3 |
| 3549494 | New | [CVE-2025-23185] Information Disclosure in SAP Business Objects Business Intelligence Platform BI-BIP-LCM | Medium | 4.1 |
| 3562415 | New | [CVE-2024-38819] Multiple vulnerabilities in Spring Framework within SAP Commerce Cloud and SAP Datahub CEC-SCC-PLA-PL | Low | 3.7 |
| 3561861 | New | [CVE-2025-27430] Server Side Request Forgery (SSRF) in SAP CRM and SAP S/4 HANA (Interaction Center) CRM-IC-BF | Low | 3.5 |
| 3347991 | New | [CVE-2025-26655] Missing Authorization check in SAP JIT(Outbound) IS-A-JIT | Low | 3.1 |
| 3568865 | New | [CVE-2025-27432] Missing Authorization check in SAP Electronic Invoicing for Brazil (eDocument Cockpit) CA-GTF-CSC-EDO | Low | 2.4 |
| 3576540 | New | Open Source Security Advisory: Best Practices for Securing Spring Boot Actuator Endpoints for applications running on BTP BC-CP-CF-CRTM | Low | 0.0 |
As always, the Onapsis Research Labs is already updating The Onapsis Platform to incorporate the newly published vulnerabilities into the product so that our customers can protect their businesses.
For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, subscribe to our monthly Defenders Digest Onapsis Newsletter on LinkedIn.