SAP Security Notes: August 2025 Patch Day
Critical Code Injection vulnerability in SAP S/4HANA and SAP Landscape Transformation
Highlights of August SAP Security Notes analysis include:
- August Summary – Twenty-six new and updated SAP security patches released, including four HotNews Notes and three High Priority Notes.
- Two New HotNews Notes – Code Injection vulnerability in remote-enabled SAP Function Module allows injection of arbitrary code.
- Onapsis Research Labs Contribution – Our team supported SAP in patching five vulnerabilities covered by four SAP Security Notes.
SAP has released twenty-six SAP Security Notes on its August Patch Day (including the notes that were released or updated since last Patch Tuesday.) This includes four HotNews Notes and three High Priority Notes.
The New HotNews Notes in Detail
SAP Security Note #3627998, tagged with a CVSS score of 9.9, patches a critical Code Injection vulnerability in S/4HANA (Private Cloud or On-Premise). The critical vulnerability exists in a remote-enabled SAP function module and allows attackers to inject arbitrary code into the system. Staying unpatched, customers risk a full system compromise, posing the confidentiality, integrity, and availability of the system at very high risk.
SAP Security Note #3633838 addresses the same Code Injection vulnerability for SAP ECC customers who have installed the Data Migration Server (DMIS) add-on version 2011_1_700 or higher.
There are FAQ Notes attached to the two HotNews Notes providing more details about affected releases and potential side-effects.
The remaining two HotNews Notes, SAP Security Notes #3581961 and #3610892, contain updated information:
SAP Security Notes #3581961, tagged with a CVSS score of 9.9, patches a Code Injection vulnerability in SAP S/4HANA (Private Cloud or On-Premise). SAP has added additional information to the ’Support Packages & Patches’ section.
SAP Security Note #3610892, tagged with a CVSS score of 9.1, was initially released on SAP’s July Patch Day in collaboration with Onapsis. SAP has added a work around for customers who can’t apply the fixing Support Package Patch Level yet. They propose to stop the affected service and to add a startup filter to prevent it from automatically starting on the next system restart.
The New High Priority Notes in Detail
SAP Security Note #3625403, tagged with a CVSS score of 8.8, patches a Broken Authorization vulnerability in SAP Business One (SLD). Normal Business One users, logged in via the SAP Business One native client, are able to invoke an API that is only intended to be used by administrators. As a result they could get administrative privileges that can be used in case of a malicious user to negatively impact the confidentiality, integrity, and availability of the application.
The Onapsis Research Labs (ORL) supported SAP in patching two vulnerabilities in the Business Information Collection (BIC) Document application of an SAP NetWeaver Application Server ABAP. The ORL detected that an authenticated attacker can submit specially crafted requests to the application that could cause a memory corruption error. Multiple submissions of such requests can make the target completely unavailable. Additionally, requests can also be manipulated to perform an out-of-bounds read operation, revealing sensitive information that is loaded in memory. The vulnerability is tagged with a CVSS score of 8.1 and is patched by SAP with SAP Security Note #3611184.
The same note patches a Reflected Cross-Site Scripting vulnerability in the application, tagged with a CVSS score of 6.1. The ORL noticed that the BIC Document application allows an unauthenticated attacker to craft a URL link to embed a malicious script on access. When a victim clicks on this link, the script executes in the victim’s browser, allowing the attacker to access and/or modify information related to the web client without affecting availability.
We also recommend reading the updated High Priority Note #3600846 that is tagged with a CVSS score of 8.1. SAP has added another HMAC Key that could require regeneration to patch the vulnerability.
Onapsis Contribution
Once more, the Onapsis Research Labs (ORL) could significantly contribute to SAP’s Patch Day. The team supported SAP in patching five vulnerabilities, covered by four SAP Security Notes.
In addition to the 2 vulnerabilities that were patched by SAP with High Priority Note #3611184, the following SAP Security Notes were published in collaboration with the ORL team:
SAP Security Note #3629871, tagged with a CVSS score of 6.1, patches a Cross-Site Scripting vulnerability in SAP NetWeaver ABAP Platform. The vulnerability allows an unauthenticated attacker to generate a malicious link and make it publicly accessible. If an authenticated user clicks on this link, the injected input is processed during the website’s page generation, resulting in the creation of malicious content. When this malicious content gets executed, the attacker could gain the ability to access and modify information within the scope of the victim’s browser causing low impact on the application’s confidentiality and integrity.
SAP Security Note #3597355, tagged with a CVSS score of 6.1, patches a similar Cross-Site Scripting vulnerability in SAP NetWeaver Application Server for ABAP. The main difference is that the victim doesn’t require authentication here to execute the malicious code.
SAP Security Note #3601480, tagged with a CVSS score of 4.1, addresses an Information Disclosure vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform(ICM). The ORL team detected that the ICM allows authorized users with admin privileges and local access to log files to read sensitive information, resulting in information disclosure.
Summary & Conclusions
Although SAP’s August Patch Day comes with twenty-six SAP Security Notes, including four HotNews and three High Priority Notes, it is a much calmer Patch Day than last month. The first reason is that no less than eleven SAP Security Notes are updates on previously released SAP Security Notes. The second reason is that the two new HotNews Notes address the same issue but for different environments. This means that there are no systems requiring both patches.
| SAP Note | Type | Description | Priority | CVSS |
| 3633838 | New | [CVE-2025-42950] Code Injection Vulnerability in SAP Landscape Transformation (Analysis Platform) CA-LT-ANA | HotNews | 9.9 |
| 3627998 | New | [CVE-2025-42957] Code Injection vulnerability in SAP S/4HANA (Private Cloud or On-Premise) CA-DT-ANA | HotNews | 9.9 |
| 3581961 | Update | [CVE-2025-27429] Code Injection Vulnerability in SAP S/4HANA (Private Cloud or On-Premise) CA-LT-ANA | HotNews | 9.9 |
| 3610892 | Update | [CVE-2025-42966] Insecure Deserialization vulnerability in SAP NetWeaver (XML Data Archiving Service) BC-ILM-DAS | HotNews | 9.1 |
| 3625403 | New | [CVE-2025-42951] Broken Authorization in SAP Business One (SLD) SBO-BC-SLD | High | 8.8 |
| 3611184 | New | [CVE-2025-42976] Multiple vulnerabilities in SAP NetWeaver Application Server ABAP (BIC Document) FIN-SEM-CPM | High | 8.1 |
| 3600846 | Update | [CVE-2025-42959] Missing Authentication check after implementation of SAP Security Note 3007182 and 3537476 BC-MID-RFC | High | 8.1 |
| 3614804 | New | [CVE-2025-42946] Directory Traversal vulnerability in SAP S/4HANA (Bank Communication Management) FIN-FSCM-BNK | Medium | 6.9 |
| 3585491 | New | [CVE-2025-42945] HTML Injection vulnerability in SAP NetWeaver Application Server ABAP BC-FES-WGU | Medium | 6.1 |
| 3629871 | New | [CVE-2025-42948] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver ABAP Platform CRM-BF-ML | Medium | 6.1 |
| 3597355 | New | [CVE-2025-42942] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server for ABAP BC-MID-ICF | Medium | 6.1 |
| 3596987 | Update | [CVE-2025-42969] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform BC-MID-AC | Medium | 6.1 |
| 3617131 | Update | [CVE-2025-42981] Multiple vulnerabilities in SAP NetWeaver Application Server ABAP BC-FES-ITS | Medium | 6.1 |
| 3503138 | Update | [CVE-2025-0059] Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML) BC-FES-WGU | Medium | 6.0 |
| 3585992 | Update | [CVE-2025-43008] Missing Authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal PY-PT | Medium | 5.8 |
| 3540688 | Update | [CVE-2025-42947] Code Injection vulnerability in SAP FICA ODN framework FI-LOC-CA-XX | Medium | 5.5 |
| 3602656 | New | [CVE-2025-42936] Missing Authorization check in SAP NetWeaver Application Server for ABAP BC-SRV-ARL-INT | Medium | 5.4 |
| 3561792 | Update | [CVE-2025-23194] Missing Authentication check in SAP NetWeaver Enterprise Portal (OBN component) EP-PIN-OBN | Medium | 5.3 |
| 3626722 | New | [CVE-2025-42949] Missing Authorization check in ABAP Platform BC-DWB-UTL-BRR | Medium | 4.9 |
| 3627845 | New | [CVE-2025-42943] Information Disclosure in SAP GUI for Windows BC-FES-GUI | Medium | 4.5 |
| 3616863 | New | [CVE-2025-42934] CRLF Injection vulnerability in SAP S/4HANA (Supplier invoice) CA-DMS | Medium | 4,.3 |
| 3577131 | Update | [CVE-2025-31331] Authorization Bypass vulnerability in SAP NetWeaver CA-GTF-TS-GMA | Medium | 4.3 |
| 3601480 | New | [CVE-2025-42935] Information Disclosure vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform(Internet Communication Manager) BC-CST-IC | Medium | 4.1 |
| 3611345 | New | [CVE-2025-42955] Missing authorization check in SAP Cloud Connector BC-MID-SCC | Low | 3.5 |
| 3624943 | New | [CVE-2025-42941] Reverse Tabnabbing vulnerability in SAP Fiori (Launchpad) CA-FLP-FE-COR | Low | 3.5 |
| 3557179 | Update | [CVE-2025-42978] Insufficiently Secure Hostname Verification for Outbound TLS Connections in SAP NetWeaver Application Server Java BC-JAS-SEC | Low | 3.5 |
As always, the Onapsis Research Labs is already updating The Onapsis Platform to incorporate the newly published vulnerabilities into the product so that our customers can protect their businesses.
For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, subscribe to our monthly LinkedIn Defenders Digest Newsletter.