SAP has fastened two essential vulnerabilities affecting NetWeaver internet software server that may very well be exploited to escalate privileges and entry restricted info.
As a part of the January Safety Patch Day, the seller additionally launched updates for different merchandise to patch 12 further points rated with medium and excessive severity.
“SAP strongly recommends that the customer visits the Support Portal and applies patches on priority to protect their SAP landscape,” reads the corporate’s safety bulletin.
The 4 most extreme safety drawback SAP addressed this month are summarized as follows:
- CVE-2025-0070, essential severity, 9.9 rating): Improper authentication in SAP NetWeaver Utility Server for ABAP and ABAP Platform permits an authenticated attacker to take advantage of improper authentication checks, leading to privilege escalation and considerably impacting confidentiality, integrity, and availability.
- CVE-2025-0066, essential severity, 9.9 rating: Info disclosure vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform (Web Communication Framework) happens on account of weak entry controls, enabling an attacker to entry restricted info and considerably compromising confidentiality, integrity, and availability.
- CVE-2025-0063, excessive severity, 8.8 rating: SQL injection vulnerability in SAP NetWeaver AS ABAP and ABAP Platform arises from a scarcity of authorization checks for sure RFC perform modules. This permits an attacker with fundamental privileges to compromise an Informix database, main to a whole lack of confidentiality, integrity, and availability.
- CVE-2025-0061, excessive severity, 8.7 rating: A number of vulnerabilities in SAP BusinessObjects Enterprise Intelligence Platform enable an unauthenticated attacker to carry out session hijacking over the community on account of an info disclosure subject. This permits the attacker to entry and modify all software information.
Influence and proposals
SAP merchandise serve giant enterprises throughout industries akin to manufacturing, finance, retail, healthcare, and authorities, fulfilling essential roles for managing enterprise operations and buyer relations.
SAP NetWeaver is a core platform for working ABAP purposes and enabling safe communication through the Web Communication Framework. It’s usually utilized by IT directors, builders, and consultants in enterprises managing ERP techniques for finance, HR, and provide chain.
SAP BusinessObjects is a platform for reporting, analytics, and information visualization utilized by analysts, decision-makers, and IT groups to derive insights and assist strategic choices.
Hackers prior to now have focused SAP merchandise that had not been up to date to handle recognized vulnerabilities or had been improperly configured, leaving networks uncovered to breaches.
The German vendor strongly recommends that clients apply the newest patches accessible to guard their SAP surroundings.
