SAP Security Notes: June 2025 Patch Day
Critical Missing Authorization Check in RFC Framework Requires Immediate Kernel Update
Welcome to our analysis of SAP’s June Patch Day. For an in-depth guide on SAP security notes, their importance, and best practices for managing them, be sure to visit our comprehensive SAP Patch Day Overview.
Highlights of June SAP Security Notes analysis include:
- June Summary — Nineteen new and updated SAP security patches released, including two HotNews Notes and seven High Priority Notes
- Critical Missing Authorization Check — Vulnerability in RFC framework requires immediate kernel update
- Onapsis Research Labs Contribution — Our team supported SAP in patching four vulnerabilities, covered by two SAP Security Notes
SAP has published nineteen new and updated SAP Security Notes in its June Patch Day, including two HotNews Notes and seven High Priority Notes. Two of the fourteen new Security Notes were published in contribution with the Onapsis Research Labs.
The HotNews Notes in Detail
SAP Security Note #3600840, tagged with a CVSS score of 9.6, patches a critical Missing Authorization Check vulnerability in the Remote Function Call (RFC) framework of SAP NetWeaver Application Server AS ABAP. Under certain conditions, authenticated attackers can bypass the standard authorization check on authorization object S_RFC when using transactional (tRFC) or queued RFCs (qRFC), leading to an escalation of privileges. This allows an attacker to critically impact the application’s integrity and availability. The security note points out that the change may require that additional S_RFC permissions are to be assigned to some users. The referenced FAQ SAP Note #3601919 explains how to identify these users and how to finally activate the additional S_RFC check after role adjustments through setting profile parameter rfc/authCheckInPlayback to 1.
SAP Security Note #3604119, tagged with a CVSS score of 9.1, is just a textual update on the critical patch for SAP Visual Composer that was initially released by SAP in collaboration with Onapsis on its May Patch Day. The update underlines that the patch has to be implemented irrespective of a prior implementation of SAP Security Note #3594142.
The High Priority Notes in Detail
SAP Security Note #3609271, tagged with a CVSS score of 8.8, disables a vulnerable report in SAP GRC that allows a low-privileged user to initiate transactions which could allow them to modify or control transmitted system credentials. A successful exploit can cause a high impact on the application’s confidentiality, integrity, and availability.
SAP Security Note #3474398, tagged with a CVSS score of 8.7, was initially released on SAP’s January Patch Day and fixes an Information Disclosure and a Code Injection vulnerability in SAP BusinessObjects Business Intelligence Platform. The note has been re-released with updated ‘Validity’ and ‘Support Packages & Patches’ information.
SAP Security Note #3606484, tagged with a CVSS score of 8.5, addresses a Missing Authorization check in SAP Business Warehouse and SAP Plug-In Basis. A remote-enabled function module allows the generic deletion of database tables without prior authorization check. The implementation of the note disables the relevant source code.
A missing or insufficient sanitization of input text in SAP BusinessObjects Business Intelligence (BI Workspace) allows an unauthenticated attacker to craft and store a malicious script within a workspace. On subsequent access to the workspace, the script will be executed in a victim’s browser enabling the attacker to potentially access sensitive session information, modify or make browser information unavailable. The Cross-Site Scripting vulnerability is patched with SAP Security Note #3560693 which is tagged with a CVSS score of 8.2.
SAP Security Note #3591978, tagged with a CVSS score of 7.7, was initially released on SAP’s May Patch Day in collaboration with the Onapsis Research Labs. The note patches a Missing Authorization Check vulnerability in SAP Landscape Transformation and is re-released with updated information on its ‘Validity’ and ‘Support Packages & Patches’ information.
After the critical patches for SAP Visual Composer that were released in April and May, SAP has released another patch for the application on its June Patch Day. SAP Security Note #3610591, tagged with a CVSS score of 7.6, patches a Directory Traversal vulnerability that is caused by insufficient validation of input paths provided by a high-privileged user. On successful exploit, an attacker can read and modify arbitrary files.
SAP Security Note #3610006, tagged with a CVSS score of 7.5, patches three vulnerabilities in SAP Master Data Management(MDM) Server. All three vulnerabilities were identified by the Onapsis Research Labs(ORL) and could promptly be fixed by SAP in collaboration with the ORL team. Two of the three vulnerabilities are Memory Corruption vulnerabilities, allowing an attacker to send specially crafted packets which could trigger a memory read access violation in the server process. As a result, the process fails and exits unexpectedly causing high impact on availability of the application. The third vulnerability is an Insecure Session Management vulnerability allowing an attacker to gain control of existing client sessions and execute certain functions without the need for re-authentication. On successful exploit, the attacker can read and modify non-sensitive information or consume sufficient resources which could degrade the performance of the server.
Onapsis Contribution
In addition to the three vulnerabilities that were patched with SAP Security Note #3610006, the ORL team supported SAP in fixing a Cross-Site Scripting (XSS) Vulnerability in the keyword documentation of SAP NetWeaver AS ABAP. Due to insufficient URL request validation, an unauthenticated attacker could inject malicious JavaScript into a web page through an unprotected parameter. On subsequent access by a victim, the script executes in their browser, providing the attacker limited access to restricted information. SAP Security Note #3590887, tagged with a CVSS score of 5.8, introduces proper URL request validation for unprotected parameters.
Summary & Conclusions
With nineteen Security Notes including one new HotNews Note and five new High Priority Notes, SAP’s June Patch Day is an average one. Special attention should be paid to SAP Security Note #3600840 and immediate patching is strongly recommended.
| SAP Note | Type | Description | Priority | CVSS |
| 3600840 | New | [CVE-2025-42989] Missing Authorization check in SAP NetWeaver Application Server for ABAP BC-MID-RFC-QT | HotNews | 9.6 |
| 3604119 | Update | [CVE-2025-42999] Insecure Deserialization in SAP NetWeaver (Visual Composer development server) EP-VC-INF | HotNews | 9.1 |
| 3609271 | New | [CVE-2025-42982] Information Disclosure in SAP GRC (AC Plugin) GRC-ACP | High | 8.8 |
| 3474398 | Update | [CVE-2025-0061] Multiple vulnerabilities in SAP BusinessObjects Business Intelligence Platform BI-BIP-INV | High | 8.7 |
| 3606484 | New | [CVE-2025-42983] Missing Authorization check in SAP Business Warehouse and SAP Plug-In Basis CRM-MW | High | 8.5 |
| 3560693 | New | [CVE-2025-23192] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence (BI Workspace) BI-BIP-INV | High | 8.2 |
| 3591978 | Update | [CVE-2025-43011] Missing Authorization Check in SAP Landscape Transformation (PCL Basis) CA-LT-PCL | High | 7.7 |
| 3610591 | New | [CVE-2025-42977] Directory Traversal vulnerability in SAP NetWeaver Visual Composer EP-VC-INF | High | 7,6 |
| 3610006 | New | [CVE-2025-42994] Multiple vulnerabilities in SAP MDM Server MDM-FN-MDS-SEC | High | 7.5 |
| 3580384 | New | [CVE-2025-42993] Missing Authorization Check in SAP S/4HANA (Enterprise Event Enablement) OPU-XBE | Medium | 6.7 |
| 3590887 | New | [CVE-2025-31325] Cross-Site Scripting (XSS) Vulnerability in SAP NetWeaver (ABAP Keyword Documentation) BC-ABA-LA | Medium | 5.8 |
| 3585992 | Update | [CVE-2025-43008] Missing Authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal PY-PT | Medium | 5.8 |
| 3441087 | New | [CVE-2025-42984] Missing Authorization check in SAP S/4HANA (Manage Central Purchase Contract application) MM-PUR-HUB-CTR | Medium | 5.4 |
| 3594258 | New | [CVE-2025-42998] Security misconfiguration vulnerability in SAP Business One Integration Framework SBO-INT-B1IF | Medium | 5.3 |
| 3608058 | New | [CVE-2025-42991] Missing Authorization check in SAP S/4HANA (Bank Account Application) FIN-FSCM-CLM-BAM | Medium | 4.3 |
| 3596850 | New | [CVE-2025-42987] Missing Authorization Check in SAP S/4HANA (Manage Processing Rules – For Bank Statement) FI-FIO-AR-PAY | Medium | 4.3 |
| 3585545 | New | [CVE-2025-42988] Server-Side Request Forgery in SAP Business Objects Business Intelligence Platform BI-BIP-INV | Low | 3.7 |
| 3426825 | Update | [CVE-2025-23191] Cache Poisoning through header manipulation vulnerability in SAP Fiori for SAP ERP OPU-GW-COR | Low | 3.1 |
| 3601169 | New | [CVE-2025-42990] HTML Injection in Unprotected SAPUI5 applications CA-UI5-SC | Low | 3.0 |
As always, the Onapsis Research Labs is already updating The Onapsis Platform to incorporate the newly published vulnerabilities into the product so that our customers can protect their businesses.
For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, subscribe to our monthly Defenders Digest Onapsis Newsletter on LinkedIn.