Overview
SAP’s security patch day for March 2025 has seen the release of 24 OSS SAP security notes. Five notes have been classified as high, fifteen as medium and four as low based on CVSS v3.0 Rating.
Two notes have been released for:
- SAP S/4HANA
- SAP BusinessObjects Business Intelligence Platform
- SAP Just In Time
- SAP NetWeaver Application Server ABAP
Single notes have been released for:
- @sap/approuter
- SAP Business Objects Business Intelligence Platform
- SAP Business One (Service Layer)
- SAP Business Warehouse (Process Chains)
- SAP Commerce (Swagger UI)
- SAP Commerce Cloud
- SAP Commerce Cloud and SAP Datahub
- SAP CRM and SAP S/4HANA (Interaction Center)
- SAP Electronic Invoicing for Brazil (eDocument Cockpit)
- SAP Fiori apps (Posting Library)
- SAP NetWeaver (ABAP Class Builder)
- SAP NetWeaver Application Server Java
- SAP NetWeaver Enterprise Portal (OBN component)
- SAP PDCE
- SAP Permit to Work
- SAP Web Dispatcher and Internet Communication Manager
Vulnerabilities: March 2025 Highlights
[CVE-2025-25244] Missing Authorisation Check in SAP Business Warehouse (Process Chains) (SAP Note 3552144Â )
SAP Business Warehouse (Process Chains) allows attackers to manipulate the process execution due to a missing authorisation check. An attacker with display authorisation for the process chain object could set one or all processes to be skipped. This means corresponding activities, such as data loading, activation, or deletion, will not be executed as initially modeled. This could lead to unexpected results in business reporting, leading to a significant impact on integrity. However, there is no impact on confidentiality or availability.
[CVE-2025-27430] Server Side Request Forgery (SSRF) in SAP CRM and SAP S/4 HANA (Interaction Center) (SAP note 3561861Â )
Under certain conditions, an SSRF vulnerability in SAP CRM and SAP S/4HANA (Interaction Center) allows an attacker with low privileges to access restricted information. This flaw enables the attacker to send requests to internal network resources, thereby compromising the application’s confidentiality.
[CVE-2025-25242] Cross-Site Scripting (XSS) in SAP NetWeaver Application Server ABAP) (SAP Note 3562390)
SAP NetWeaver Application Server ABAP allows malicious scripts to be executed in the application, potentially leading to a Cross-Site Scripting (XSS) vulnerability. This has no impact on the application’s availability, but it can have some minor impact on its confidentiality and integrity.
[CVE-2025-26661] Missing Authorisation check in SAP NetWeaver (ABAP Class Builder) (SAP Note 3563927)
Due to missing authorisation checks, SAP NetWeaver (ABAP Class Builder) allows attackers to gain higher access levels than they should have, escalating privileges. This could result in the disclosure of highly sensitive information on successful exploitation. It could also greatly impact the integrity and availability of the application.
[CVE-2025-27432] Missing Authorisation check in SAP Electronic Invoicing for Brazil (eDocument Cockpit) (SAP Note 3568865)
The eDocument Cockpit (Inbound NF-e) in SAP Electronic Invoicing for Brazil allows an authenticated attacker with certain privileges to gain unauthorised access to each transaction. An unauthorised attacker could call each transaction and view the inbound delivery details by executing the specific ABAP method within the ABAP system. This vulnerability has a low impact on confidentiality and no effect on the integrity and availability of the application.
About this Review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.
