Enterprise software maker SAP on Tuesday announced the release of 14 new security notes as part of its January 2025 Patch Day.
The most important of the notes are marked ‘hot news’ (the highest SAP severity rating) and address two critical vulnerabilities in NetWeaver AS for ABAP and ABAP Platform, both with a CVSS score of 9.9.
Tracked as CVE-2025-0070, the first of the security defects is described as an improper authentication bug. It could allow an attacker to steal credentials from the internal RFC communication between an HTTP client and a server of the same system.
The credentials can then be used to establish HTTP communication between an external program masquerading as an internal caller, and the HTTP client, which would impact “the confidentiality, integrity, and availability of the application”, application security firm Onapsis says.
The second critical issue resolved on SAP’s January 2025 Patch Day, tracked as CVE-2025-0066, is described as an information disclosure flaw in NetWeaver.
Under certain conditions, the platform could allow attackers to “read decrypted, plaintext credential information required to communicate to other systems,” Onapsis explains.
On Tuesday, SAP also released a security note addressing a high-severity SQL injection vulnerability in NetWeaver, tracked as CVE-2025-0063 (CVSS score of 8.8), which could allow an attacker to take over data in the Informix database.
SAP announced fixes for two high-severity bugs in the BusinessObjects Business Intelligence platform, tracked as CVE-2025-0061 and CVE-2025-0060, and for a DLL hijacking flaw in SAPSetup, tracked as CVE-2025-0069.
The remaining security notes resolve medium- and low-severity security defects in Business Workflow and Flexible Workflow, NetWeaver, GUI for Windows, and BusinessObjects.
SAP makes no mention of any of these vulnerabilities being exploited in the wild, but organizations should review the security notes and apply the available patches as soon as possible, as it is not uncommon for threat actors to target SAP vulnerabilities in attacks.
Related: Juniper Networks Fixes High-Severity Vulnerabilities in Junos OS
Related: Chrome 131, Firefox 134 Updates Patch High-Severity Vulnerabilities
Related: Thai Court Dismisses Activist’s Suit Against Israeli Spyware Producer Over Lack of Evidence
Related: Stay Focused on What’s Important
