Inprosec a través de sus servicios, como el SAP Security Assessment, ayuda a sus clientes a mejorar los niveles de seguridad de sus sistemas SAP.
Notas junio 2025
Resumen y highlights del Mes
Este mes el número total ha sido de 14 notas, 4 menos que en el mes anterior. Este mes tuvimos 1 Hot News, 1 menos que en el periodo anterior. En cuanto a notas de criticidad alta, hay 5, igual que en el mes anterior. Las notas medias y bajas no serán revisadas, por lo que daremos detalle de un total de 6 notas (todas las que tengan un CVSS de 7 o mayor).
Tenemos un total de 14 notas para todo el mes (14 nuevas).
Revisaremos en detalle un total de 6 notas, todas de criticidad alta y Hot News:
- Una de las notas más críticas del mes (CVSS 9,6) es una High, se trata de una nota relacionada con “Missing Authorization check in SAP NetWeaver Application Server for ABAP”
- La siguiente en criticidad (CVSS 8,8) se trata de una notada relacionada con “Information Disclosure in SAP GRC (AC Plugin)”
- La siguiente en criticidad (CVSS 8,5) se trata de una notada relacionada con “Missing Authorization check in SAP Business Warehouse and SAP Plug-In Basis”
- La siguiente en criticidad (CVSS 8,2) se trata de una notada relacionada con “Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence (BI Workspace)”
- La siguientes en criticidad son 2 notas medias (CVSS 7,6 y CVSS 7,5) una relacionada con “Directory Traversal vulnerability in SAP NetWeaver Visual Composer” y la otra relacionada con “Multiple vulnerabilities in SAP MDM Server”
-
Este mes el tipo más predominante es “Missing Authorization Check “ (6/14 en el patch day)
En la gráfica podemos ver la clasificación de las notas de junio, además de la evolución y clasificación de los últimos 5 meses anteriores (solo las notas del Sec. Tuesday / Patch Day – by SAP):
Detalle completo
El detalle completo de las notas más relevantes es el siguiente (en inglés):
-
Missing Authorization check in SAP NetWeaver Application Server for ABAP) (3600840): RFC inbound processing fails to perform the necessary authorization checks for an authenticated user, resulting in privilege escalation. A successful exploit could have a critical impact on both the integrity and availability of the application. The way to eliminate this risk is by the authorization checks which are now added to initiate S_RFC authorization for tRFC and qRFC calls. Apply the kernel patch and set the profile parameter indicated in the note. CVSS v3 Base Score 9,6/ 10 [CVE-2025-42989]
-
Missing Authorization check in SAP Business Warehouse and SAP Plug-In Basis (3609271): SAP GRC allows a non-administrative user to access and initiate a transaction that could allow them to modify or control transmitted system credentials. This has a significant impact on the confidentiality, integrity, and availability of the application. This problem is solved by preventing the report from running. CVSS v3 Base Score 8,8/ 10 [CVE-2025-42982]
-
Authentication Bypass Vulnerability in SAP Financial Consolidation (3606484) SAP Business Warehouse and SAP Plug-In Basis allow an authenticated attacker to drop arbitrary SAP database tables, potentially resulting in data loss or system inoperability. A successful exploit can completely delete database entries, but cannot read any data. The problem is solved by removing the code in the RFC function module. CVSS v3 Base Score 8,5/ 10 [CVE-2025-42983]
-
Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence (BI Workspace) (3560693): SAP BusinessObjects Business Intelligence (BI workspace) allows an unauthenticated attacker to create and store malicious scripts within a workspace. When the victim accesses the workspace, the script will execute in their browser, potentially allowing the attacker to access sensitive session information, modify the session information, or make it unavailable. This results in a high confidentiality impact and a low integrity and availability impact. CVSS v3 Base Score 8,2/ 10 [CVE-2025-23192]
-
Directory Traversal vulnerability in SAP NetWeaver Visual Composer (3610591): SAP NetWeaver Visual Composer contains a Directory Traversal vulnerability caused by insufficient validation of input paths provided by a high-privilege user. This allows an attacker to read or modify arbitrary files, which has a high confidentiality impact and a low integrity impact. CVSS v3 Base Score 7,6/ 10 [CVE-2025-42977]
-
Multiple vulnerabilities in SAP MDM Server (3610006): This security advisory addresses three vulnerabilities in SAP MDM Server:
-
- Memory Corruption [CVE-2025-42994]: The SAP MDM Server ReadString feature allows an attacker to send specially crafted packets that could trigger a memory read access violation in the server process that would crash and exit unexpectedly causing a large availability impact with no impact on the confidentiality and integrity of the application.
-
- Memory Corruption [CVE-2025-42995] : The SAP MDM server read function allows an attacker to send specially crafted packets that could trigger a memory read access violation in the server process which would crash and exit unexpectedly causing a large impact on availability with no impact on the confidentiality and integrity of the application.
-
- Insecure Session Management [CVE-2025-42996] : SAP MDM Server allows an attacker to gain control of existing client sessions and execute certain functions without re-authentication, allowing access to or modification of non-sensitive information or consuming sufficient resources that could degrade server performance, resulting in minimal impact to the confidentiality, integrity, and availability of the application.
This problem is solves by implementing random generation of session tokens. Apply the latest patch by effectively replacing the main server executable and restarting it. CVSS v3 Base Score 7,5/ 10 [CVE-2025-42994]
Enlaces de referencia
Referencias, en inglés de SAP y Onapsis (junio):
SAP Security Patch Day – June 2025
SAP Patch Day: June 2025 – Onapsis
Recursos afectados
El listado completo de los sistemas/componentes afectados es el siguiente:
- SAP NetWeaver Application Server for ABAP Versions – KERNEL 7.89, 7.93, 9.14, 9.15
- SAP GRC (AC Plugin) Versions – GRCPINW V1100_700, V1100_731
- PI_BASIS 2006_1_700, 701, 702, 731, 740, SAP_BW 750, 751, 752, 753, 754, 755, 756, 757, 758, 914, 915
- SAP BusinessObjects Business Intelligence (BI Workspace) Versions – ENTERPRISE 430, 2025, 2027
- SAP NetWeaver Visual Composer Version – VCBASE 7.50
- SAP MDM Server Versions – MDM_SERVER 710.750
- SAP S/4HANA (Enterprise Event Enablement) Versions – SAP_GWFND 757, 758
- SAP NetWeaver (ABAP Keyword Documentation) Version – SAP_BASIS 758
- SAP S/4HANA (Manage Central Purchase Contract application) Versions – S4CORE 106, 107, 108
- SAP Business One Integration Framework Versions – B1_ON_HANA 10.0, SAP-M-BO 10.0
- SAP S/4HANA (Manage Processing Rules – For Bank Statement) Versions – S4CORE 104, 105, 106, 107, 108
- SAP S/4HANA (Bank Account Application) Version – S4CORE 108
- SAP Business Objects Business Intelligence Platform Versions – ENTERPRISE 430, 2025, 2027
- SAPUI5 applications Versions – SAP_UI 750, 754, 755, 756, 757, 758, UI_700 200