Inprosec through its services, such as the SAP Security Assessment, helps its customers to improve the security levels of their SAP systems.
August 2025 Notes
Monthly Summary and Highlights
This month the total number was 19 notes, 12 fewer than in the previous month. This month we had 3 Hot News, 3 fewer than in the previous period. Regarding high criticality notes, there are 2, which is 3 fewer than in the last 4 months, during which the same 5 notes of this level were repeated. Medium and low notes will not be reviewed, so we will provide details on a total of 5 notes (all those with a CVSS of 7 or higher).
We have a total of 19 notes for the whole month (15 new ones and 4 updates of notes published in previous months).
We will review in detail a total of 5 notes, all of them of high criticality and Hot News:
-
The highest criticality notes of the month (CVSS 9.9) are the 3 Hot News, which have the same score. Two of them are new notes related to “Code Injection Vulnerability in SAP Landscape Transformation (Analysis Platform)” and “Code Injection Vulnerability in SAP S/4HANA (Private Cloud or On-Premise)”, while the other one is an update of a note released in April this year, related to “Code Injection Vulnerability in SAP S/4HANA (Private Cloud or On-Premise)”.
-
The next in criticality (CVSS 8.8) is the first high note related to “Broken Authorization in SAP Business One (SLD)”.
-
Lastly, the final note we will analyze and the lowest in criticality (CVSS 8.1) is a note related to “Multiple vulnerabilities in SAP NetWeaver Application Server ABAP (BIC Document)”.
-
This month the most predominant type is “Missing Authorization Check” (4/19 on Patch Day) followed by “Code Injection Vulnerability” (3/19 on Patch Day).
In the chart we can see the classification of the August notes, as well as the evolution and classification of the last 5 previous months (only the notes from Sec. Tuesday / Patch Day – by SAP):
Full details
The complete detail of the most relevant notes is as follows:
-
Code Injection vulnerability in SAP S/4HANA (Private Cloud or On-Premise) (3627998): In SAP S/4HANA, a vulnerability in a function module exposed via RFC can be exploited by a privileged user to inject arbitrary ABAP code, bypassing authorization checks and acting as a backdoor, risking full system compromise and impacting confidentiality, integrity, and availability. SAP has released a fix that removes this code injection risk by preventing arbitrary script or command execution, and the referenced Correction Instructions or Support Packages must be applied immediately, as no temporary workaround is available. CVSS v3 Base Score 9,9/ 10 [CVE-2025-42957]
-
Code Injection Vulnerability in SAP Landscape Transformation (Analysis Platform) (3633838): In SAP Landscape Transformation (SLT), a vulnerability in a function module exposed via RFC can be exploited by a privileged user to inject arbitrary ABAP code, bypassing authorization checks and acting as a backdoor, potentially leading to full system compromise and impacting confidentiality, integrity, and availability. SAP has issued a fix that removes the code injection risk by blocking arbitrary script or command execution, and the referenced Correction Instructions or Support Packages must be applied immediately, as no temporary workaround exists. CVSS v3 Base Score 9,9/ 10 [CVE-2025-42950]]
-
Code Injection Vulnerability in SAP S/4HANA (Private Cloud or On-Premise) (3581961): In SAP S/4HANA, a vulnerability in a function module exposed via RFC can be exploited by a privileged user to inject arbitrary ABAP code, bypassing authorization checks and acting as a backdoor, risking full system compromise and impacting confidentiality, integrity, and availability. In the current version (V6, 12th August 2025), the note has been re-released with updated Support Packages & Patches information, which must be applied promptly to address the issue. The fix removes the risk of code injection by blocking arbitrary script or command execution. There is no workaround, so implementing the updated instructions is critical to securing the system. CVSS v3 Base Score 9,9/ 10 [CVE-2025-27429]
-
Broken Authorization in SAP Business One (SLD) (3625403): In SAP Business One (SLD), a broken authorization flaw allows an authenticated attacker to gain database administrator privileges by invoking a specific API, posing a high risk to confidentiality, integrity, and availability. The vulnerability occurs because the SLD backend service failed to enforce proper authorization for users logged in via the native client, exposing sensitive credentials. SAP has fixed the issue by revoking this API permission for normal users, ensuring only landscape administrators (e.g., B1SiteUser) can invoke it, adjusting database account usage in the client, and introducing an admin login prompt for privileged landscape management tasks. The referenced Support Packages and Patches must be applied immediately, as no workaround exists. CVSS v3 Base Score 8,8/ 10 [CVE-2025-42951]
-
Multiple vulnerabilities in SAP NetWeaver Application Server ABAP (BIC Document) (3611184): In SAP NetWeaver Application Server ABAP (BIC Document), multiple vulnerabilities were found due to missing input validation: Memory Corruption (CVE-2025-42976) allows an authenticated attacker to send crafted requests that can crash the target component or perform out-of-bounds reads, exposing sensitive in-memory data; Reflected Cross-Site Scripting (XSS) (CVE-2025-42975) lets an unauthenticated attacker trick a victim into executing malicious scripts in their browser via crafted URLs, potentially accessing or modifying web client data. SAP resolved the issue by improving input parameter validation. Customers must implement the Correction Instructions or Support Packages from the note. As a temporary workaround, the SICF service “BIC” can be deactivated, though SAP strongly recommends applying the permanent fix. CVSS v3 Base Score 8,1/ 10 [CVE-2025-42976]
Reference links
Other references, from SAP and Onapsis (august):
SAP Security Patch Day – August 2025
SAP Patch Day: August 2025 – Onapsis
Resources affected
The full list of affected systems/components is as follows:
-
SAP S/4HANA (Private Cloud or On-Premise)
Versiones: S4CORE 102, 103, 104, 105, 106, 107, 108 (incluye Bank Communication Management y Supplier invoice módulos en algunas notas) -
SAP Landscape Transformation (Analysis Platform)
Versiones: DMIS 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020 -
SAP Business One (SLD)
Versiones: B1_ON_HANA 10.0, SAP-M-BO 10.0 -
SAP NetWeaver Application Server ABAP (BIC Document)
Versiones: S4COREOP 104, 105, 106, 107, 108; SEM-BW 600, 602, 603, 604, 605, 634, 736, 746, 747, 748 -
SAP S/4HANA (Bank Communication Management)
Versiones: SAP_APPL 606, SAP_FIN 617, 618, 720, 730; S4CORE 102, 103, 104, 105, 106, 107, 108 -
SAP NetWeaver Application Server ABAP
Versiones: KRNL64UC 7.53; KERNEL 7.53, 7.54, 7.77, 7.89, 7.93; SAP_BASIS 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 816, 914, 916 -
SAP NetWeaver ABAP Platform
Versiones: S4CRM 100, 200, 204, 205, 206; S4CEXT 107, 108, 109; BBPCRM 713, 714; SAP_BASIS 758, 816, 916 -
SAP NetWeaver Enterprise Portal (OBN component)
Versiones: EP-RUNTIME 7.50 -
ABAP Platform
Versiones: SAP_BASIS 758, 816, 916 -
SAP GUI for Windows
Versiones: BC-FES-GUI 8.00 -
SAP S/4HANA (Supplier invoice)
Versiones: S4CORE 102, 103, 104, 105, 106, 107, 108, 109 -
SAP NetWeaver
Versiones: SAP_ABA 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75D, 75E, 75F, 75G, 75H, 75I -
SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Manager)
Versiones: KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53; KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93; 9.14, 9.15, 9.16 -
SAP Cloud Connector
Versiones: SAP_CLOUD_CONNECTOR 2.0 -
SAP Fiori (Launchpad)
Versiones: SAP_UI 754