![Pathlock CEO Piyush Pandey on Reshaping Application Access Governance: Insights from KuppingerCole Reports](https://pathlock.com/wp-content/uploads/2023/08/KC_Report_Piyush_insights-112x112.jpg")
![Pathlock Reshapes the Access Governance Market with a Series of Strategic Mergers](https://pathlock.com/wp-content/uploads/2022/05/MicrosoftTeams-image-7-112x112.png")
SAP has released 15 new Security Notes as part of the August 12, 2025 Patch Day, along with 4 updates to previously released notes. This month’s release addresses critical vulnerabilities in S/4HANA, Landscape Transformation, and Business One, including three remote code execution (RCE) flaws with CVSS scores of 9.9.
The most urgent issues relate to code injection vulnerabilities via RFC-exposed function modules, posing a significant risk of system compromise, data breach, and privilege escalation.
Critical Vulnerabilities (CVSS 9.9): Triple Code Injection Threat
CVE-2025-27429 – Code Injection via RFC in S/4HANA
Security Note #3581961 (CVSS 9.9):
An attacker with low privileges can inject arbitrary ABAP code into systems via RFC function modules in the Landscape Transformation stack. The vulnerability allows full system compromise, impacting confidentiality, integrity, and availability.
Recommendation: Apply this patch immediately across all S/4HANA systems using CA-LT-ANA.
CVE-2025-42950 – Code Injection in SAP Landscape Transformation
Security Note #3633838 (CVSS 9.9):
Same core vulnerability as above, but found in systems using SAP Landscape Transformation (SLT) Analysis Platform. Exploitation leads to remote ABAP execution and potentially full system takeover.
Recommendation: Patch SLT and restrict RFC access to transformation modules.
CVE-2025-42957 – Code Injection in S/4HANA Analytics
Security Note #3627998 (CVSS 9.9):
Affects the analytics transformation layer in S/4HANA. Malicious input through RFC interfaces allows arbitrary code injection with high privileges.
Recommendation: Treat as emergency patch. Apply across all analytical/data transformation endpoints.
High Priority Notes
CVE-2025-42951 – Broken Authorization in SAP Business One (SLD)
Security Note #3625403 (CVSS 8.8):
Normal users can invoke SLD APIs and gain administrator privileges. This exposes sensitive credentials and can lead to system-wide privilege escalation.
Action: Patch immediately. Ensure only B1SiteUser is permitted to perform SLD operations.
CVE-2025-42976 / CVE-2025-42975 – Memory Corruption & Reflected XSS in NetWeaver ABAP (BIC Document)
Security Note #3611184 (CVSS 8.1 & 6.1):
Crafted requests can crash SAP NetWeaver or expose memory-resident data. Also includes an unauthenticated XSS vector that can steal session context from browser clients.
Mitigation: Apply patch. If delayed, temporarily deactivate SICF service /sap/bw/BIC.
CVE-2025-42946 – Directory Traversal in S/4HANA (Bank Comm Management)
Security Note #3614804 (CVSS 6.9):
High-privileged users can access and delete arbitrary OS-level files through improperly validated paths.
Risk: Confidentiality and integrity impacted. Apply patch promptly.
Medium Priority Notes
| CVE | Component | CVSS | Type |
|---|---|---|---|
| CVE-2025-42948 | CRM Email Management | 6.1 | Stored XSS |
| CVE-2025-42942 | NetWeaver ICF | 6.1 | Reflected XSS |
| CVE-2025-42945 | SAP GUI for HTML | 6.1 | HTML Injection |
| CVE-2025-42935 | NetWeaver ICM | 4.1 | Token Logging |
| CVE-2025-42934 | S/4HANA Supplier Invoice | 4.3 | CRLF Injection |
| CVE-2025-42943 | SAP GUI for Windows | 4.5 | NTLM Hash Disclosure |
| CVE-2025-42949 | ABAP SQL Console | 4.9 | Privilege Escalation |
| CVE-2025-42955 | SAP Cloud Connector | 3.5 | Auth Check Missing |
Guidance: Integrate these into your normal update cycles based on component exposure and business impact.
Updated Security Notes (4)
| CVE | Note | Reason |
|---|---|---|
| CVE-2025-27429 | 3581961 | Re-classified as critical with updated patch scope |
| CVE-2025-42976/42975 | 3611184 | Expanded CVEs and enhanced remediation |
| CVE-2025-23194 | 3561792 | Portal patch updates for more SP levels |
| CVE-2025-31331 | 3577131 | Revised correction instructions |
Summary Table
| Severity | Count | Notable Components |
|---|---|---|
| Critical (CVSS 9.9) | 3 | S/4HANA, LT, Analytics |
| High (8.1–8.8) | 3 | Business One, NetWeaver BIC |
| Medium (< 8.0) | 9 | CRM, GUI, ICF, Cloud Connector, ABAP Console |
Patching & Mitigation Recommendations
Critical
- Deploy patches for CVE-2025-27429, 42950, and 42957 immediately.
- Restrict access to RFC-exposed function modules in custom and standard code.
High Priority
- Patch Business One SLD and NetWeaver BIC services.
- Deactivate vulnerable services (like /sap/bw/BIC) if patching is delayed.
Medium Priority
- Disable or restrict GUI input history, UNC path access, and ICM logging formats.
- Patch GUI and ICF components as part of the next planned window.
General
- Review SACF (SAP Authorization Concept Framework) policies for RFCs.
- Monitor logs for abuse of SQL Console, ICF services, and GUI input anomalies.
- Consider temporary network segmentation for critical SAP services if risk persists.
Final Thoughts
August 2025 Patch Day represents the most severe release this year in terms of RCE risk. Three separate CVEs with CVSS 9.9 highlight the fragility of RFC-exposed modules — often overlooked yet central to SAP integration.
Action Plan for SAP Security Teams:
- Immediately deploy fixes for CVE-2025-27429, 42950, and 42957.
- Patch high-risk systems like Business One, NetWeaver BIC, and SLT environments.
- Assess internal RFC exposure, especially in custom code.
- Use SACF, logging, and external monitoring to harden RFC entry points.
- Maintain momentum in patching medium-rated vulnerabilities.
The simplicity of these attacks — combined with their deep system reach — calls for immediate response and strong defense.
