Enterprise software maker SAP on Tuesday announced the release of 27 new and four updated security notes as part of its July 2025 Security Patch Day, including six that address critical vulnerabilities.
At the top of the list is an update for a note released in May, which addresses five security defects in its Supplier Relationship Management (SRM).
SAP initially marked the note as high-priority, based on the severity score of the most important of these bugs. Now, it has updated the rating to ‘critical’, upon learning that the impact of one of these issues is much higher than initially determined.
The CVSS score for the bug, tracked as CVE-2025-30012, has been updated from 3.9 to 10/10, after it was determined that it could be abused by unauthenticated attackers to execute arbitrary OS commands with administrative privileges.
The issue exists because the Live Auction Cockpit component of SRM uses a deprecated java applet that would decode crafted malicious requests, resulting in the insecure deserialization of data and command execution.
The second note in SAP’s July 2025 Security Patch Day advisory addresses CVE-2025-42967 (CVSS score of 9.9), a remote code execution vulnerability in S/4HANA and SCM.
An attacker with user level privileges can exploit the flaw to create a new report containing their own code, which could allow them to take full control of a vulnerable SAP system.
SAP’s fresh round of security notes also resolves four critical-severity insecure deserialization flaws in various components of NetWeaver.
The issues, tracked as CVE-2025-42963, CVE-2025-42964, CVE-2025-42966, and CVE-2025-42980 (CVSS score of 9.1), can be exploited by attackers with high privileges to compromise the application and system, or take full control of the host system, security firm Onapsis explains.
Four high-severity issues in NetWeaver, Business Objects, and Business Warehouse were also patched this week, and a high-priority note released last month to address a directory traversal in NetWeaver’s Visual Composer component was updated.
SAP users are advised to update their deployments as soon as possible. Although the software maker makes no mention of any of these vulnerabilities being exploited in the wild, threat actors are known to have targeted SAP flaws to compromise enterprise environments.
Related: Critical Vulnerability Patched in SAP NetWeaver
Related: SAP Patches Another Exploited NetWeaver Vulnerability
Related: SAP Zero-Day Possibly Exploited by Initial Access Broker
Related: SAP Patches Critical Code Injection Vulnerabilities
