SAP announced 21 new Security Notes and updates to 3 previously released notes on its latest Security Patch Day.
This release addresses critical vulnerabilities within SAP products, underscoring the company’s commitment to safeguarding enterprise software.
SAP strongly recommends customers prioritize implementing these patches to secure their systems and mitigate potential risks.
The updates focus on fixing high-priority vulnerabilities that could allow attackers to compromise systems or escalate privileges.
Below is a detailed table summarizing the CVEs and associated Security Notes:
CVE-ID | Title | Product / Version | Priority |
[CVE-2025-27434] | Cross-Site Scripting (XSS) vulnerability in SAP Commerce (Swagger UI) | SAP Commerce (Swagger UI), Version – COM_CLOUD 2211 | High |
[CVE-2025-26661] | Missing Authorization check in SAP NetWeaver (ABAP Class Builder) | SAP NetWeaver (ABAP Class Builder), Versions – SAP_BASIS 700 to 914 | High |
[CVE-2024-38286] | Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud | Related to CVE-2024-52316; SAP Commerce Cloud, Versions – HY-COM 2205, COM-CLOUD 2211 | High |
[CVE-2025-24876] (Update) | Authentication bypass via authorization code injection in SAP Approuter | Library – @sap/approuter, Versions – 2.6.1 to 16.7.1 | High |
[CVE-2024-39592] (Update) | Missing Authorization check in SAP PDCE | SAP PDCE, Versions – S4CORE 102 to 108 | High |
SAP customers are advised to:
SAP’s March 2025 Security Patch Day reaffirms its ongoing efforts to strengthen enterprise security.
Businesses relying on SAP products must prioritize these updates to protect against exploitation and maintain the integrity of their systems.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…
A threat actor known as #LongNight has reportedly put up for sale remote code execution…
Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…
Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…
The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…
Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…