SAP on Tuesday announced the release of 18 new and two updated security notes as part of its April 2025 Security Patch Day, including three notes addressing critical-severity vulnerabilities.
The first two critical flaws, tracked as CVE-2025-27429 and CVE-2025-31330 (CVSS score of 9.9) are code injection bugs in S/4HANA (Private Cloud) and Landscape Transformation (Analysis Platform).
According to enterprise software security firm Onapsis, however, the CVEs refer to the same security defect and SAP’s patches for them disable the same remote-enabled function module in both products.
“If unpatched, the function module accepts any text as input parameter and generates an ABAP report based on this input using the INSERT REPORT statement. For a successful exploit, it only requires S_RFC authorization on the respective function module or on the corresponding function group,” Onapsis explains.
Tracked as CVE-2025-30016 (CVSS score of 9.8), the third critical-severity vulnerability is an authentication bypass issue in Financial Consolidation that could allow an unauthenticated attacker to impersonate an administrator user.
Of the remaining notes released on SAP’s April 2025 Patch Day, five address high-severity vulnerabilities, including an updated note that resolves an improper authorization in BusinessObjects Business Intelligence platform.
SAP also resolved high-severity bugs in NetWeaver Application Server ABAP, Commerce Cloud, and Capital Yield Tax Management. The Commerce Cloud issue, a race condition in Apache Tomcat, can only be exploited if three conditions are met, none of which applies by default.
On Tuesday, SAP also released fixes for 10 medium-severity and one low-severity bug in Commerce Cloud, ERP BW Business Content, BusinessObjects, KMC WPC, NetWeaver, Solution Manager, S4CORE entity, and S/4 HANA.
Although SAP makes no mention of any of these vulnerabilities being exploited in the wild, organizations are advised to apply the patches as soon as possible.
Related: SAP Patches High-Severity Vulnerabilities in Commerce, NetWeaver
Related: SAP Releases 21 Security Patches
Related: SAP Patches Critical Vulnerabilities in NetWeaver
Related: SAP Patches High-Severity Vulnerability in Web Dispatcher
