SAP's July 2025 Patch Day Brings 27 New Notes, Multiple Critical RCE & Deserialization Flaws (CVSS 10.0) • Daily CyberSecurity

SAP’s July 2025 Security Patch Day delivered a total of 27 new security notes and 3 updates to previously released advisories, with several critical vulnerabilities requiring immediate attention. These flaws impact core components such as SAP S/4HANA, NetWeaver, Enterprise Portal, and Live Auction Cockpit, posing risks of remote code execution, insecure deserialization, and authorization bypass.

The most severe vulnerability this month is an update to a previously released note for SAP Supplier Relationship Management (Live Auction Cockpit). With a maximum CVSS score of 10.0, this group of flaws—also tracked under CVE-2025-30009, CVE-2025-30010, CVE-2025-30011, and CVE-2025-30018—allows attackers to fully compromise affected systems. According to SAP, this vulnerability impacts SRM_SERVER 7.14, and successful exploitation may lead to “complete loss of confidentiality, integrity, and availability.”

SAP S/4HANA and SAP SCM’s Characteristic Propagation feature is affected by a remote code execution vulnerability (CVE-2025-42967, CVSS 9.1) allowing attackers to inject malicious code. “An attacker with high privileges could create a new report with their own code, potentially gaining full control of the affected SAP system,” SAP warned. This flaw affects SCMAPO 713, 714, S4CORE 102–108, and SCM 700–712.

An insecure deserialization flaw (CVE-2025-42980, CVSS 9.1) in the Federated Portal Network of SAP NetWeaver Enterprise Portal (EP-RUNTIME 7.50) allows privileged users to upload malicious content. When deserialized, this content could lead to full compromise of the system. The vulnerability endangers the confidentiality, integrity, and availability of the application host.

A similar deserialization issue (CVE-2025-42964, CVSS 9.1) was found in SAP NetWeaver Enterprise Portal Administration, also rated critical. Attackers with administrative access can upload crafted payloads to execute arbitrary code upon deserialization. SAP reiterates that “the impact includes full system compromise and the potential for persistent backdoor installation.”

The XML Data Archiving Service component in SAP NetWeaver J2EE-APPS 7.50 is susceptible to insecure Java deserialization (CVE-2025-42966, CVSS 9.1). Authenticated administrators can exploit this flaw to gain full control over the server. This vulnerability underscores the recurring theme of serialization risks within Java-based SAP components.

A critical vulnerability (CVE-2025-42963, CVSS 9.1) in the SAP NetWeaver Application Server for Java (Log Viewer) enables authenticated admin users to exploit unsafe object deserialization. “Successful exploitation can lead to full operating system compromise,” SAP noted, with complete control granted to the attacker over LMNWABASICAPPS 7.50.

While not critical, SAP patched numerous high to low severity vulnerabilities, ranging from missing authentication checks, authorization flaws, cross-site scripting (XSS), and directory traversal bugs across multiple modules including:

SAP NetWeaver ABAP Server (CVE-2025-42959, CVE-2025-42953)
SAP Business Objects Intelligence Platform (CVE-2024-53677)
SAP BW and Plug-In Basis (CVE-2025-42952)
SAPCAR utility (CVE-2025-43001, CVE-2025-42970, CVE-2025-42971)
SAP NetWeaver Visual Composer (CVE-2025-42977)
SAP GUI for Windows (CVE-2025-42979)
SAP Business Explorer (CVE-2025-42962)
SAP BusinessObjects Content Admin Workbench (CVE-2025-42985)
SAP NetWeaver RFC Module, SDCCN, Log Viewer, and CCAW (CVE-2025-42968, CVE-2025-42974, CVE-2025-42954)

Each of these vulnerabilities carries its own operational impact and should not be overlooked. Organizations leveraging SAP solutions are urged to assess and patch affected systems immediately.

Rate this post

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Related Posts:

Support Our Threat Intelligence

Related posts:

Leave a Reply Cancel reply