SAP April 2025 Patch Day: Critical Code Injection Risks

The SAP Security Patch Day on April 8, 2025, brought a wave of critical security updates, with a total of 18 new Security Notes and 2 updates to previously released notes. Among the fixes, several address severe code injection vulnerabilities that pose a significant threat to SAP systems.

Critical Vulnerabilities in Focus:

Two of the most critical vulnerabilities patched this month involve code injection flaws in key SAP products:

• SAP S/4HANA (Private Cloud): A vulnerability (CVE-2025-27429, CVSS 9.9) in SAP S/4HANA allows attackers with user privileges to inject arbitrary ABAP code. This flaw, affecting versions S4CORE 102 through 108, bypasses authorization checks and essentially acts as a backdoor, risking full system compromise.
• SAP Landscape Transformation (SLT): Similarly, a code injection vulnerability (CVE-2025-31330, CVSS 9.9) exists in SAP Landscape Transformation (SLT), impacting versions DMIS 2011_1_700, 2011_1_710, 2011_1_730, and 2011_1_731. This vulnerability also enables the injection of arbitrary ABAP code, posing a severe threat to system security.

Authentication Bypass in SAP Financial Consolidation:

Another critical vulnerability (CVE-2025-30016, CVSS 9.8) was found in SAP Financial Consolidation. This flaw allows an unauthenticated attacker to gain unauthorized access to the Admin account, due to improper authentication mechanisms.

Other Notable Updates:

The April 2025 patch day also included updates for previously released Security Notes, addressing issues such as improper authorization in SAP BusinessObjects Business Intelligence platform (CVE-2025-0064) and a Mixed Dynamic RFC Destination vulnerability in SAP NetWeaver Application Server ABAP (CVE-2025-23186).

High and Medium Priority Vulnerabilities:

Beyond the critical flaws, the patch day addressed a range of high and medium priority vulnerabilities across various SAP products, including SAP Commerce Cloud, SAP Capital Yield Tax Management, SAP NetWeaver, SAP ERP BW Business Content, and SAP BusinessObjects Business Intelligence Platform. These vulnerabilities include Time-of-Check Time-of-Use (TOCTOU) Race Condition, Directory Traversal, Information Disclosure, Code Injection, Insecure File Permissions, and Cross-Site Scripting (XSS).

Low Priority Updates:

A low-priority update was also released for a Server Side Request Forgery (SSRF) vulnerability in SAP CRM and SAP S/4HANA (Interaction Center).

Call to Action:

Given the severity of the vulnerabilities addressed in the April 2025 SAP Security Patch Day, particularly the critical code injection flaws, it is imperative that SAP customers apply these updates immediately. Failure to do so could expose their systems to significant security risks, including unauthorized access, data breaches, and full system compromise. Organizations should prioritize the patching of systems affected by the critical vulnerabilities and ensure that all relevant security notes are applied promptly to maintain the security and integrity of their SAP environments.

Related Posts:

• A total of 10 Security in SAP was patched
• SAP Patches Critical BusinessObjects Vulnerability with October Security Updates
• SAP Security Patch Day February 2025: Multi Vulnerabilities Addressed
• SAP Patches Multiple Vulnerabilities in November 2024 Security Patch Day
• SAP Patches High-Severity XSS and Authorization Flaws in Latest Security Updates