Monday, May 5, 2025
HomeCVE/vulnerabilitySAP April 2025 Update Fixes Critical Code Injection Vulnerabilities

SAP April 2025 Update Fixes Critical Code Injection Vulnerabilities

Published on

SIEM as a Service

Follow Us on Google News

SAP Security Patch Day has introduced a critical update to address vulnerabilities in SAP products, including high-severity code injection weaknesses.

A total of 18 new Security Notes, along with 2 updates to existing notes, were released to tackle serious risks such as unauthorized access, code injection, and directory traversal.

SAP recommends customers promptly apply these patches to safeguard their systems and ensure the robustness of their SAP landscapes.

- Advertisement - Google News

Summary of CVEs and Vulnerabilities

The following table provides a detailed overview of the vulnerabilities addressed in the April 2025 update:

CVE IDVulnerabilityAffected Product(s)PriorityCVSS Score
CVE-2025-27429Code Injection VulnerabilitySAP S/4HANA (Private Cloud)Critical9.9
CVE-2025-31330Code Injection VulnerabilitySAP Landscape Transformation (Analysis Platform)Critical9.9
CVE-2025-30016Authentication Bypass VulnerabilitySAP Financial ConsolidationCritical9.8
CVE-2025-0064Improper Authorization (Updated Security Note from February 2025 Patch Day)SAP BusinessObjects Business Intelligence platform (Central Management Console)High8.8
CVE-2025-23186Mixed Dynamic RFC Destination Vulnerability via Remote Function Call (RFC)SAP NetWeaver Application Server ABAPHigh8.5
CVE-2024-56337Time-of-Check Time-of-Use (TOCTOU) Race Condition VulnerabilityApache Tomcat within SAP Commerce CloudHigh8.1
CVE-2025-30014Directory Traversal VulnerabilitySAP Capital Yield Tax ManagementHigh7.7
CVE-2025-27428Directory Traversal VulnerabilitySAP NetWeaver and ABAP Platform (Service Data Collection)High7.7

Among the vulnerabilities, CVE-2025-27429 and CVE-2025-31330 stand out due to their critical nature.

These code injection weaknesses enable attackers to execute harmful code, potentially compromising sensitive data and system integrity.

For organizations using SAP S/4HANA (Private Cloud) or SAP Landscape Transformation (Analysis Platform), applying these updates is essential to avoid exploitation.

The patch release also addressed directory traversal vulnerabilities (CVE-2025-30014, CVE-2025-27428) that allow unauthorized access to restricted directories, along with a TOCTOU race condition vulnerability (CVE-2024-56337) found in Apache Tomcat within SAP Commerce Cloud.

SAP’s April 2025 Security Patch Day emphasizes the importance of proactively addressing vulnerabilities to maintain operational resiliency and cybersecurity robustness.

Customers are strongly urged to apply the fixes immediately by consulting SAP’s Support Portal for detailed guidance.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Hackers Exploit Email Fields to Launch XSS and SSRF Attacks

Cybersecurity researchers are raising alarms as hackers increasingly weaponize email input fields to execute cross-site...

Luna Moth Hackers Use Fake Helpdesk Domains to Target Victims

A recent investigation by cybersecurity firm EclecticIQ, in collaboration with threat hunters, has exposed...

SonicBoom Attack Chain Lets Hackers Bypass Login and Gain Admin Control

Cybersecurity researchers have uncovered a dangerous new exploitation technique, dubbed the "SonicBoom Attack Chain,"...

Researcher Uses Copilot with WinDbg to Simplify Windows Crash Dump Analysis

A researcher has unveiled a novel integration between AI-powered Copilot and Microsoft's WinDbg, dramatically...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hackers Exploit Email Fields to Launch XSS and SSRF Attacks

Cybersecurity researchers are raising alarms as hackers increasingly weaponize email input fields to execute cross-site...

Luna Moth Hackers Use Fake Helpdesk Domains to Target Victims

A recent investigation by cybersecurity firm EclecticIQ, in collaboration with threat hunters, has exposed...

SonicBoom Attack Chain Lets Hackers Bypass Login and Gain Admin Control

Cybersecurity researchers have uncovered a dangerous new exploitation technique, dubbed the "SonicBoom Attack Chain,"...