SAP Security Patch Day has introduced a critical update to address vulnerabilities in SAP products, including high-severity code injection weaknesses.
A total of 18 new Security Notes, along with 2 updates to existing notes, were released to tackle serious risks such as unauthorized access, code injection, and directory traversal.
SAP recommends customers promptly apply these patches to safeguard their systems and ensure the robustness of their SAP landscapes.
.png
)
Summary of CVEs and Vulnerabilities
The following table provides a detailed overview of the vulnerabilities addressed in the April 2025 update:
| CVE ID | Vulnerability | Affected Product(s) | Priority | CVSS Score |
| CVE-2025-27429 | Code Injection Vulnerability | SAP S/4HANA (Private Cloud) | Critical | 9.9 |
| CVE-2025-31330 | Code Injection Vulnerability | SAP Landscape Transformation (Analysis Platform) | Critical | 9.9 |
| CVE-2025-30016 | Authentication Bypass Vulnerability | SAP Financial Consolidation | Critical | 9.8 |
| CVE-2025-0064 | Improper Authorization (Updated Security Note from February 2025 Patch Day) | SAP BusinessObjects Business Intelligence platform (Central Management Console) | High | 8.8 |
| CVE-2025-23186 | Mixed Dynamic RFC Destination Vulnerability via Remote Function Call (RFC) | SAP NetWeaver Application Server ABAP | High | 8.5 |
| CVE-2024-56337 | Time-of-Check Time-of-Use (TOCTOU) Race Condition Vulnerability | Apache Tomcat within SAP Commerce Cloud | High | 8.1 |
| CVE-2025-30014 | Directory Traversal Vulnerability | SAP Capital Yield Tax Management | High | 7.7 |
| CVE-2025-27428 | Directory Traversal Vulnerability | SAP NetWeaver and ABAP Platform (Service Data Collection) | High | 7.7 |
Among the vulnerabilities, CVE-2025-27429 and CVE-2025-31330 stand out due to their critical nature.
These code injection weaknesses enable attackers to execute harmful code, potentially compromising sensitive data and system integrity.
For organizations using SAP S/4HANA (Private Cloud) or SAP Landscape Transformation (Analysis Platform), applying these updates is essential to avoid exploitation.
The patch release also addressed directory traversal vulnerabilities (CVE-2025-30014, CVE-2025-27428) that allow unauthorized access to restricted directories, along with a TOCTOU race condition vulnerability (CVE-2024-56337) found in Apache Tomcat within SAP Commerce Cloud.
SAP’s April 2025 Security Patch Day emphasizes the importance of proactively addressing vulnerabilities to maintain operational resiliency and cybersecurity robustness.
Customers are strongly urged to apply the fixes immediately by consulting SAP’s Support Portal for detailed guidance.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
