SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

SAP Patches High-Severity Vulnerabilities in Commerce, NetWeaver

SAP released 21 new security notes and updated three security notes on March 2025 security patch day.
SAP vulnerability patches

Enterprise software maker SAP on Tuesday announced the release of 21 new and three updated security notes on its March 2025 security patch day.

The company included five high-priority security notes in its advisory, namely three new notes that address vulnerabilities in Commerce, NetWeaver, and Commerce Cloud, and two updated notes that resolve flaws in Approuter and PDCE.

The most severe of these issues are CVE-2025-27434 and CVE-2025-26661 (CVSS score of 8.8), described as a cross-site scripting (XSS) bug in Commerce and a missing authorization check in NetWeaver.

The XSS issue resides in the open source library Swagger UI, and could allow an unauthenticated attacker to inject malicious code if they convince a user “to place a malicious payload into an input field”, application security firm Onapsis notes.

The NetWeaver vulnerability was discovered in the transaction SA38, and allows access to restricted functionality.

SAP also released patches for Commerce Cloud to resolve two high-severity bugs in Apache Tomcat that could be exploited to cause a denial-of-service (DoS) condition or bypass authentication.

The updated high-priority security notes resolve an authentication bypass in Approuter and a missing authorization check in PDCE. The notes were initially published in February 2025 and July 2024.

On Tuesday, SAP also announced the release of 15 medium-priority security notes that resolve flaws in Business One, NetWeaver, Business Warehouse, BusinessObjects, Web Dispatcher and Internet Communication Manager, S/4HANA, Fiori apps, and Permit to Work.

Advertisement. Scroll to continue reading.

SAP also released five low-priority notes this week, including a note with a CVSS score of 0.0, which “provides best practice information about custom Java applications in SAP BTP implemented with the Spring Framework,” as Onapsis explains.

The note provides details on the endpoints that the debugging and monitoring tool Spring Boot Activator may expose, and which could introduce serious vulnerabilities is not properly secured.

Related: SAP Releases 21 Security Patches

Related: SAP Patches Critical Vulnerabilities in NetWeaver

Related: SAP Patches Critical Vulnerability in NetWeaver

Related: SAP Patches High-Severity Vulnerability in Web Dispatcher

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

More from

Latest News

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Webinar: Protecting Executives and Enterprises from Digital, Narrative and Physical Attacks
March 12, 2025

Join this in-depth briefing on how to protect executives and the enterprises they lead from the growing convergence of digital, narrative, and physical attacks.

Register

Webinar: Which Security Testing Approach is Right for You?
March 25, 2025

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Cybersecurity firm Absolute Security announced Harold Rivas as its new CISO.

Simon Forster has been named the new General Manager of DNS security firm Quad9.

Cybersecurity training company Immersive has named Mark Schmitz as its new CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.