SAP Patch Day August 2025: Critical Code Injection Flaws Threaten Core ERP Systems

Today, 2025, SAP released 15 new Security Notes and 4 updates to previously issued advisories as part of its monthly Security Patch Day. While the update addresses a broad range of issues, several critical and high-severity vulnerabilities stand out for their potential to cause severe business disruption if exploited.

Critical Vulnerabilities (CVSS 9.9)

1. CVE-2025-42957 – Code Injection in SAP S/4HANA (Private Cloud or On-Premise)

A remote function call (RFC) exposure in SAP S/4HANA enables attackers with user-level privileges to inject arbitrary ABAP code into the system, bypassing essential authorization checks. According to SAP, this “effectively functions as a backdoor”, allowing a complete compromise of system confidentiality, integrity, and availability.

2. CVE-2025-42950 – Code Injection in SAP Landscape Transformation (Analysis Platform)

A similar RFC-based flaw in SAP Landscape Transformation (SLT) also allows arbitrary ABAP code injection. Like the S/4HANA issue, this vulnerability “undermines the confidentiality, integrity and availability of the system” and could be used to gain persistent, unauthorized access.

3. CVE-2025-27429 – Code Injection in SAP S/4HANA (Updated Advisory)

This update to the April 2025 Patch Day note addresses another RFC-exposed ABAP injection vulnerability in SAP S/4HANA, functionally similar to CVE-2025-42957, and carrying the same critical risk level.

High Severity Vulnerabilities

4. CVE-2025-42951 – Broken Authorization in SAP Business One (SLD) – CVSS 8.8

A broken authorization check allows authenticated attackers to escalate to database administrator privileges by exploiting an API in SAP Business One’s System Landscape Directory.

5. CVE-2025-42976 & CVE-2025-42975 – Multiple Vulnerabilities in SAP NetWeaver AS ABAP (BIC Document) – CVSS 8.1

Two flaws in SAP NetWeaver’s BIC Document component can be abused by authenticated attackers to cause memory corruption and trigger denial-of-service conditions, potentially leading to the exposure of sensitive in-memory data.

Other Vulnerabilities Addressed

While not as severe, SAP also patched multiple medium- and low-severity vulnerabilities this month, including:

• Directory Traversal in SAP S/4HANA (Bank Communication Management)
• HTML Injection in SAP NetWeaver AS ABAP
• Cross-Site Scripting (XSS) in SAP NetWeaver ABAP Platform
• Information Disclosure in SAP NetWeaver AS for ABAP
• Missing Authorization Checks and Authentication Bypasses across various SAP platforms.

Given the severity of the critical vulnerabilities, we strongly recommend:

• Immediate patch deployment for all affected systems, especially those with internet-facing components.
• Restricting RFC access to trusted network segments only.
• Reviewing system logs for suspicious RFC calls or ABAP code execution attempts.
• Implementing strict role-based access controls to minimize the impact of compromised accounts.

Related Posts:

• SAP April 2025 Patch Day: Critical Code Injection Risks
• SAP’s March 2023 Security Updates Patch 5 Critical-Severity Vulnerabilities
• From Taiwan to Korea: TIDRONE Threat Actor Targets ERP Software