Enterprise software maker SAP on Tuesday announced the release of 19 new and two updated security notes as part of its February 2025 Patch Day.
Six of the notes, five new and one update, are marked high priority, resolving high-severity vulnerabilities in NetWeaver, BusinessObjects, Supplier Relationship Management, Approuter, Enterprise Project Connection, and HANA.
The first note released on SAP’s February 2025 Security Patch Day is an update to a note published in February 2024 to address a cross-site scripting (XSS) flaw in NetWeaver AS Java. The update references a second update for the security note, which completely patches the bug and lowers the CVSS score to 6.1.
Of the new high-priority notes, the most severe resolves an improper authorization issue in BusinessObjects. Tracked as CVE-2025-0064 (CVSS score of 8.7), the bug could allow an attacker to impersonate users.
“The vulnerability affects the Central Management Console of SAP BO and allows a highly privileged attacker to impersonate any user in the system through access to the secret passphrase of the trusted systems,” application security firm Onapsis explains.
SAP on Tuesday released patches for a path traversal defect in Supplier Relationship Management that could allow unauthenticated attackers to fetch arbitrary files of the application and access potentially sensitive data. The vulnerability is tracked as CVE-2025-25243 (CVSS score of 8.6).
Patches were also released for an authentication bypass flaw in Approuter, tracked as CVE-2025-24876 (CVSS score of 8.1), and for an open redirect issue in HANA, tracked as CVE-2025-24868 (CVSS score of 7.1).
Additionally, SAP announced fixes for multiple vulnerabilities in Enterprise Project Connection, which uses vulnerable versions of the Spring Framework open source libraries.
On Tuesday, the software maker also released patches for medium-severity flaws in Commerce and Commerce Cloud, BusinessObjects, GUI for Windows, NetWeaver, Fiori Apps Reference Library, ABAP, and Fiori for SAP ERP.
SAP makes no mention of any of these vulnerabilities being exploited in the wild. However, organizations are advised to apply the security notes as soon as possible, as it is not uncommon for threat actors to target SAP vulnerabilities in attacks.
Related: SAP Patches Critical Vulnerabilities in NetWeaver
Related: SAP Patches Critical Flaw in NetWeaver
Related: SAP Patches High-Severity Vulnerability in Web Dispatcher
Related: SAP Patches Critical Vulnerability in BusinessObjects
