Analysis Summary

SAP’s February 2025 Security Patch Day has introduced 19 new Security Notes and two updates to previous patches, addressing high-risk vulnerabilities across multiple SAP products. The updates primarily target cross-site scripting (XSS), authentication bypasses, and authorization flaws in critical platforms like SAP NetWeaver, BusinessObjects, and SAP Commerce. Given the severity of these vulnerabilities, SAP strongly urges customers to apply these patches promptly to mitigate the risk of potential exploitation. Organizations relying on SAP’s cloud services benefit from automatic updates, whereas on-premise users must manually implement the fixes.

Among the most critical vulnerabilities is CVE-2024-22126, an XSS flaw in SAP NetWeaver AS Java (User Admin Application) version 7.50, with a CVSS score of 8.8. This vulnerability enables attackers to inject malicious scripts, potentially compromising user data and system integrity. Another significant issue is CVE-2025-0064 in the SAP BusinessObjects BI Platform, affecting its Central Management Console in versions ENTERPRISE 430 and 2025. This improper authorization flaw, rated at 8.7 CVSS, could permit unauthorized access to sensitive data. Additionally, SAP Supplier Relationship Management (SRM_MDM_CAT 7.52) contains a path traversal vulnerability (CVE-2025-25243, CVSS 8.6), allowing attackers to manipulate file paths and gain unauthorized access.

Other high-priority vulnerabilities include CVE-2025-24876, an authentication bypass issue in SAP Approuter (versions 2.6.1 through 16.7.1) with a CVSS score of 8.1, and CVE-2024-38819, a set of multiple vulnerabilities in SAP Enterprise Project Connection version 3.0, scoring 7.5 CVSS. These flaws could allow attackers to bypass authentication mechanisms, access unauthorized data, or compromise system availability. SAP has also addressed several medium-priority issues, including an open redirect in SAP HANA extended application services (CVE-2025-24868, CVSS 7.1), a missing defense-in-depth measure for clickjacking in SAP Commerce Backoffice (CVE-2025-24874, CVSS 6.8), and an information disclosure flaw in SAP NetWeaver Application Server ABAP (CVE-2025-23193, CVSS 5.3).

With cyber threats evolving, SAP underscores the necessity of keeping systems up to date, as unpatched vulnerabilities can lead to data breaches, unauthorized access, or system disruptions. Organizations should prioritize patching based on CVSS scores and the operational impact while ensuring proper testing before deployment. The full list of security updates is available on the SAP Support Portal, and enterprises must act swiftly to secure their SAP environments against potential cyber threats.

Impact

• Unauthorized Access
• Sensitive Data Theft

Affected Vendors

Remediation

• Refer to SAP Website for patch, upgrade, or suggested workaround information. (Login Required
• Install the latest SAP Security Notes from the SAP Support Portal.
• Ensure on-premise systems are manually updated, as cloud services receive automatic patches.
• Prioritize patches for high-severity vulnerabilities based on CVSS scores and operational impact.
• Focus on fixing critical flaws like XSS (CVE-2024-22126), improper authorization (CVE-2025-0064), and authentication bypass (CVE-2025-24876).
• Implement fixes for cross-site scripting (XSS), path traversal, and authentication bypass vulnerabilities.
• Verify that authorization controls are properly configured to prevent unauthorized access.
• Implement Web Application Firewalls (WAFs) to mitigate XSS and injection attacks.
• Apply least privilege principles for user accounts to minimize potential exploit risks.
• Conduct vulnerability scanning and penetration testing after patch deployment.
• Ensure patches do not disrupt business operations by testing in a controlled environment before full implementation.
• Use Security Information and Event Management (SIEM) solutions to detect exploitation attempts.
• Enable logging and monitoring for suspicious activity related to the patched vulnerabilities.