Today, SAP released 14 new security notes during its monthly Security Patch Day. This release includes several critical and high-severity vulnerabilities affecting core SAP systems such as NetWeaver, BusinessObjects, and SAP GUI platforms. The two critical vulnerabilities, CVE-2025-0070 and CVE-2025-0066, affect SAP NetWeaver AS for ABAP and ABAP Platform.
The first critical vulnerability, CVE-2025-0070 (CVSS 9.9), allows an authenticated attacker to gain illegitimate access to the system by exploiting improper authentication checks. This could lead to privilege escalation and potential security concerns.
The second critical vulnerability, CVE-2025-0066 (CVSS 9.9), allows an attacker to access restricted information due to weak access controls in SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework). This could have a significant impact on the confidentiality, integrity, and availability of an application.
The remaining vulnerabilities addressed in the patch release are rated as high and medium severity. Some of the notable high-severity vulnerabilities include CVE-2025-0063, an SQL injection vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform, and CVE-2025-0061, a vulnerability in SAP BusinessObjects Business Intelligence Platform that allows an unauthenticated attacker to perform session hijacking.
SAP has urged its customers to apply the patches as soon as possible to protect their systems from potential attacks. The company has also provided detailed information about the vulnerabilities and the patches in its security notes.
Related Posts:
- CVE-2024-47578 (CVSS 9.1): SAP Issues Critical Patch for NetWeaver AS for JAVA
- CVE-2024-33006: Critical SAP Vulnerability Exposes Systems to Complete Takeover
- SAP Patches Critical BusinessObjects Vulnerability with October Security Updates
- A total of 10 Security in SAP was patched
- SAP’s March 2023 Security Updates Patch 5 Critical-Severity Vulnerabilities
