SAP Security Notes: July 2025 Patch Day

Security Notes

Critical CVSS Score 10 for Insecure Deserialization Vulnerability in SAP SRM Live Auction Cockpit

Highlights of July SAP Security Notes analysis include:

  • July Summary Thirty new and updated SAP security patches released, including six HotNews Notes and five High Priority Notes
  • Critical Update Onapsis Research Labs identified a CVSS 10.0 on a vulnerability in Live Auction Cockpit
  • Onapsis Research Labs Contribution Our team supported SAP in patching fifteen vulnerabilities, covered by fourteen SAP Security Notes

SAP has published thirty new and updated SAP Security Notes in its July Patch Day, including six HotNews Notes and five High Priority Notes. Fourteen Security Notes were published with contributions from the Onapsis Research Labs.

The HotNews Notes in Detail

SAP released High Priority Note #3578900 on its May Patch Day that patched five vulnerabilities in the Live Auction Cockpit of SAP Supplier Relationship Management (SRM). The CVSS scores of the vulnerabilities were between 3.9 (CVE-2025-30012) and 8.6 (CVE-2025-30018). The Onapsis Research Labs (ORL) collaborated closely with SAP on CVE-2025-30012 as the Insecure Deserialization vulnerability allows unauthenticated attackers to run arbitrary OS commands on the target system as an SAP Administrator. We would like to acknowledge SAP’s rapid response and diligence in releasing these security updates. Details about the vulnerability will be reviewed in depth in this blogpost.

The ORL detected another four critical Insecure Deserialization vulnerabilities in SAP NetWeaver AS Java and in the Enterprise Portal, all tagged as HotNews Notes with a CVSS score of 9.1.

SAP Security Note #3610892 patches an Insecure Deserialization vulnerability in the XML Data Archiving Service of an SAP NetWeaver AS Java. The vulnerability enables an attacker with administrative privileges to send a specially crafted serialized Java object that poses the confidentiality, the integrity, and the availability of the application at high risk.

The second Insecure Deserialization vulnerability was detected by the ORL in the Log Viewer of an SAP NetWeaver AS Java. It allows authenticated attackers with administrative privileges and full access to the Log Viewer the execution of malicious code, granting them complete control over the affected application and system. SAP Security Note #3621771 provides a patch and a workaround for the issue. It also contains an FAQ Note for further information.

The ORL supported SAP in patching two Insecure Deserialization vulnerabilities in SAP NetWeaver Enterprise Portal. They allow a privileged user to upload untrusted or malicious content that can lead to a full compromise of the host system. SAP Security Note #3621236 patches this issue in Portal Administration and SAP Security Note #3620498 provides a fix for the Federated Portal Network.

SAP Security Note #3618955, tagged with a CVSS score of 9.9, was also reported by external researchers and patches a Remote Code Execution Vulnerability in SAP S/4HANA and SAP SCM. A vulnerable remote-enabled function module of the application allows an attacker with high privileges to create a new report with arbitrary code potentially gaining full control of the affected SAP system. The patch disables this possibility for external calls of the function module.  

The High Priority Notes in Detail

The ORL detected a Missing Authentication Check vulnerability in SAP NetWeaver AS ABAP and ABAP Platform that occurs after the implementation of SAP Security Note #3007182 and #3537476. An unauthenticated attacker can use a Hashed Message Authentication Code (HMAC) credential, extracted from a system missing specific security patches, in a replay attack against another system. Even if the target system is fully patched, successful exploitation could result in a complete system compromise. SAP Security Note #3600846, tagged with a CVSS score of 8.1, addresses this issue and provides a guideline for a manual correction. 

SAP Security Note #3623440, tagged with a CVSS score of 8.1, patches a Missing Authorization Check vulnerability in SAP NetWeaver AS ABAP. A remote-enabled function module that deletes all operation modes and instances is not protected through an explicit authorization check which can result in a complete compromise of the system’s integrity and availability.

SAP Security Note #3565279, tagged with a CVSS score of 8.0, addresses an Insecure File Operations vulnerability in SAP Business Objects Business Intelligence Platform (CMC). The vulnerability is caused by an older version of Apache Struts which is vulnerable to CVE-2024-53677. The patch includes an updated, secure version of Apache Struts.

A Missing Authorization Check vulnerability in SAP Business Warehouse and SAP Plug-In Basis, tagged with a CVSS score of 7.7, is patched with SAP Security Note #3623255. A remote-enabled function module allows a user to add additional fields to arbitrary tables and structures. On successful exploitation, an attacker can render the system completely unusable by triggering short dumps on login. The patch adds an explicit authorization check to the affected function module.

High Priority SAP Security Note #3610591, tagged with a CVSS score of 7.6, contains updated information about a Directory Traversal vulnerability that was initially patched on SAP’s June Patch Day. Among others, KBA 3619959 was added to the note.

Further Onapsis Contribution

In addition to the HotNews Notes and High Priority Notes, our ORL team supported SAP in patching nine Medium Priority vulnerabilities, covered by eight SAP Security Notes, including three Cross-Site Scripting, two Open Redirect and four Missing Authorization Check vulnerabilities.

SAP Security Note #3604212, tagged with a CVSS of 6.1, patches a Cross-Site Scripting vulnerability in SAP Business Warehouse that can only be exploited if the SICF service ‘BExLoading’ is activated and exposed to the client network layer. An attacker can trick an authenticated user into clicking a malicious link containing an injected script that gets executed within the scope of the victim’s browser.

A similar Cross-Site Scripting vulnerability was found in SAP NetWeaver AS ABAP and ABAP Platform. It is also tagged with a CVSS score of 6.1 and can be patched by implementing SAP Security Note #3596987.

SAP Security Note #3617131 patches two vulnerabilities in SAP NetWeaver AS ABAP, both tagged with a CVSS score of 6.1. The first vulnerability is a Reflected Cross-Site Scripting vulnerability that can be exploited to generate malicious content during web site page generation which when executed in a victim’s browser can lead to low impact on confidentiality and integrity. The second vulnerability is an Open Redirect vulnerability allowing an unauthenticated attacker to craft a URL link embedding a malicious script that is not properly sanitized. When a victim clicks on this link, the script executes within the victim’s browser, redirecting them to a site controlled by the attacker.

Another Open Redirect vulnerability was detected by the ORL team in SAP BusinessObjects Content Administrator Workbench. It can be patched by implementing SAP Security Note #3617380, tagged with a CVSS score of 6.1.

The four Missing Authorization Check vulnerabilities that were patched by SAP in collaboration with the ORL team affect four remote-enabled function modules:

SAP NoteCVSSAffected ApplicationComment
36210375.0SAP NetWeaver AS ABAPPatch disables the function module.
36100564.3SAP NetWeaver AS ABAP & ABAP PlatformPatch adds authorization checks.The note states:“There is no known impact on existing functionalities following the implementation of SAP Security Note:
Be aware that you would need to have installed ST-PI 740 SP31 or 2008_1_700 SP40 ST-PI Support Package to avoid any risk of incompatibility with the current correction.”
36089914.3SAP Business Warehouse & SAP BW/4HANA BEx ToolsPatch adds authorization checks.
36264404.3SAP NetWeaver AS ABAP & ABAP PlatformPatch disables the function module.
The note states: 
“There is no known impact on existing functionalities following the implementation of this SAP Security note.Be aware that you would need to have installed recent SAP_BASIS Support Package to avoid any risk of incompatibility with the current correction.”

Summary & Conclusions

With thirty new and updated Security Notes, including six HotNews Notes and five High Priority Notes, this is an extraordinary Patch Day for SAP customers. We are happy that the Onapsis Research Labs could significantly contribute to increasing the security of SAP applications. 

SAP NoteTypeDescriptionPriorityCVSS
3578900Update[CVE-2025-30012] Multiple vulnerabilities in SAP Supplier Relationship Management (Live Auction Cockpit)
SRM-LA
HotNews10.0
3618955New[CVE-2025-42967] Code Injection vulnerability in SAP S/4HANA and SAP SCM (Characteristic Propagation)
SCM-APO-PPS
HotNews9.9
3610892New[CVE-2025-42966] Insecure Deserialization vulnerability in SAP NetWeaver (XML Data Archiving Service)
BC-ILM-DAS
HotNews9.1
3621236New[CVE-2025-42964] Insecure Deserialization in SAP NetWeaver Enterprise Portal Administration
BC-PIN-PCD
HotNews9,1
3620498New[CVE-2025-42980] Insecure Deserialization in SAP NetWeaver Enterprise Portal Federated Portal Network
EP-PIN-FPN
HotNews9.1
3621771New[CVE-2025-42963] Insecure Deserialization in SAP NetWeaver Application Server for Java (Log Viewer )
BC-JAS-ADM-LOG
HotNews9.1
3600846New[CVE-2025-42959] Missing Authentication check after implementation of SAP Security Note 3007182 and 3537476
BC-MID-RFC
High8.1
3623440New[CVE-2025-42953] Missing Authorization check in SAP NetWeaver Application Server for ABAP
BC-CCM-CNF-OPM
High8.1
3565279New[CVE-2024-53677] Insecure File Operations vulnerability in SAP Business Objects Business Intelligence Platform (CMC)
BI-BIP-CMC
High8.0
3623255New[CVE-2025-42952] Missing Authorization check in SAP Business Warehouse and SAP Plug-In Basis
CRM-MW-ADP
High7.7
3610591Update[CVE-2025-42977] Directory Traversal vulnerability in SAP NetWeaver Visual Composer
EP-VC-INF
High7.6
3595143New[CVE-2025-43001] Multiple Privilege Escalation Vulnerabilities in SAPCAR
BC-INS-TLS
Medium6.9
3580384Update[CVE-2025-42993] Missing Authorization Check in SAP S/4HANA (Enterprise Event Enablement)
OPU-XBE
Medium6.7
3604212New[CVE-2025-42962] Cross-Site Scripting (XSS) vulnerability in SAP Business Warehouse (Business Explorer Web 3.5 loading animation)
BW-BEX-ET-WEB
Medium6.1
3617380New[CVE-2025-42985] Open Redirect vulnerability in SAP BusinessObjects Content Administrator workbench
BI-RA-CR
Medium6.1
3617131New[CVE-2025-42981] Multiple vulnerabilities in SAP NetWeaver Application Server ABAP
BC-FES-ITS
Medium6.1
3596987New[CVE-2025-42969] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform
BC-MID-AC
Medium6.1
3595156New[CVE-2025-42970] Directory Traversal vulnerability in SAPCAR
BC-INS-TLS
Medium5.8
3607513New[CVE-2025-42979] Insecure Key & Secret Management vulnerability in SAP GUI for Windows
BC-FES-GXT
Medium5.6
3606103New[CVE-2025-42973] Cross-Site Scripting (XSS) vulnerability in SAP Data Services (DQ Report)
EIM-DS-SVR
Medium5.4
3621037New[CVE-2025-42968] Missing Authorization check in SAP NetWeaver (RFC enabled function module)
SV-SMG-MON-REP
Medium5.0
3610322New[CVE-2025-42961] Missing Authorization check in SAP NetWeaver Application Server for ABAP
BC-DB-DBI
Medium4.9
3610056New[CVE-2025-42974] Missing Authorization Check in SAP NetWeaver and ABAP Platform (SDCCN)
SV-SMG-SDD
Medium4.3
3608991New[CVE-2025-42960] Missing Authorization Check in SAP Business Warehouse and SAP BW/4HANA BEx Tools
BW-BEX-ET
Medium4.3
3626440New[CVE-2025-42986] Missing Authorization check in SAP NetWeaver and ABAP Platform
SV-SMG-SDD
Medium4.3
3598118New[CVE-2025-42965] Server Side Request Forgery(SSRF) vulnerability in SAP BusinessObjects BI Platform Central Management Console Promotion Management Application.
BI-BIP-LCM
Medium4.1
3573199New[CVE-2025-31326] HTML Injection vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence)
BI-RA-WBI-FE-HTM
Medium4.1
3595141New[CVE-2025-42971] Memory Corruption vulnerability in SAPCAR
BC-INS-TLS
Medium4.0
3557179New[CVE-2025-42978] Insufficiently Secure Hostname Verification for Outbound TLS Connections in SAP NetWeaver Application Server Java
BC-JAS-SEC
Low3.5
3608156New[CVE-2025-42954] Denial of service (DOS) in SAP NetWeaver Business Warehouse (CCAW application).
BW-BEX-ET
Low2.7

As always, the Onapsis Research Labs is already updating The Onapsis Platform to incorporate the newly published vulnerabilities into the product so that our customers can protect their businesses.

For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, subscribe to our monthly Defenders Digest Onapsis Newsletter.