Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

SAP Patches Critical Code Injection Vulnerabilities

SAP released 20 security notes on April 2025 patch day, including three addressing critical code injection and authentication bypass flaws.

SAP zero-day exploited

SAP on Tuesday announced the release of 18 new and two updated security notes as part of its April 2025 Security Patch Day, including three notes addressing critical-severity vulnerabilities.

The first two critical flaws, tracked as CVE-2025-27429 and CVE-2025-31330 (CVSS score of 9.9) are code injection bugs in S/4HANA (Private Cloud) and Landscape Transformation (Analysis Platform).

According to enterprise software security firm Onapsis, however, the CVEs refer to the same security defect and SAP’s patches for them disable the same remote-enabled function module in both products.

“If unpatched, the function module accepts any text as input parameter and generates an ABAP report based on this input using the INSERT REPORT statement. For a successful exploit, it only requires S_RFC authorization on the respective function module or on the corresponding function group,” Onapsis explains.

Tracked as CVE-2025-30016 (CVSS score of 9.8), the third critical-severity vulnerability is an authentication bypass issue in Financial Consolidation that could allow an unauthenticated attacker to impersonate an administrator user.

Of the remaining notes released on SAP’s April 2025 Patch Day, five address high-severity vulnerabilities, including an updated note that resolves an improper authorization in BusinessObjects Business Intelligence platform.

SAP also resolved high-severity bugs in NetWeaver Application Server ABAP, Commerce Cloud, and Capital Yield Tax Management. The Commerce Cloud issue, a race condition in Apache Tomcat, can only be exploited if three conditions are met, none of which applies by default.

On Tuesday, SAP also released fixes for 10 medium-severity and one low-severity bug in Commerce Cloud, ERP BW Business Content, BusinessObjects, KMC WPC, NetWeaver, Solution Manager, S4CORE entity, and S/4 HANA.

Advertisement. Scroll to continue reading.

Although SAP makes no mention of any of these vulnerabilities being exploited in the wild, organizations are advised to apply the patches as soon as possible.

Related: SAP Patches High-Severity Vulnerabilities in Commerce, NetWeaver

Related: SAP Releases 21 Security Patches

Related: SAP Patches Critical Vulnerabilities in NetWeaver

Related: SAP Patches High-Severity Vulnerability in Web Dispatcher

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Wendi Whitmore has taken the role of Chief Security Intelligence Officer at Palo Alto Networks.

Phil Venables, former CISO of Google Cloud, has joined Ballistic Ventures as a Venture Partner.

David Currie, former CISO of Nubank and Klarna, has been appointed CEO of Vaultree.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.