SAP has released 14 new Security Notes as part of the June 10, 2025 Patch Day, including 1 HotNews and 4 High Priority updates. This month’s release addresses serious vulnerabilities spanning missing authorization checks, directory traversal, cross-site scripting, and information disclosure.

A critical HotNews note in NetWeaver AS ABAP leads the charge, alongside a continued wave of Visual Composer issues and high-risk flaws in GRC, BW, BusinessObjects, and MDM.

HotNews: CVE-2025-42989

Missing Authorization Check in NetWeaver AS ABAP 

Security Note #3600840 (CVSS 9.6): Authenticated attackers can bypass the S_RFC authorization object in tRFC/qRFC calls, enabling privilege escalation and potential system compromise. The affected versions include KERNEL 7.89, 7.93, 9.14, and 9.15.

The key recommendation is to deploy this patch immediately. Be aware that after applying, additional S_RFC authorizations may need to be granted – SAP Note #3601919 provides configuration guidance.

High Priority Notes

CVE-2025-42982 – Info Disclosure in SAP GRC AC Plugin

Note #3609271 (CVSS 8.8): Low-privilege users can access sensitive GRC credentials and data. Apply immediately.

CVE-2025-42983 – Missing Authorization in BW & Plug-In Basis

Note #3606484 (CVSS 8.5): Remote-enabled function allows deletion of database tables without proper checks – high impact. Patch urgently.

CVE-2025-23192 – XSS in BusinessObjects BI Workspace

Note #3560693 (CVSS 8.2): Reflected XSS vulnerability enables malicious scripts to hijack sessions. Implement the fix promptly.

CVE-2025-42977 – Directory Traversal in Visual Composer

Note #3610591 (CVSS 7.6): Authenticated users can read or modify arbitrary files. This marks a new wave of Visual Composer exploits. Immediate patching advised.

CVE-2025-42994 – Multiple Vulnerabilities in MDM Server

Note #3610006 (CVSS 7.5): Includes memory corruption and session hijacking flaws, affecting availability and session integrity. Deploy patch immediately. 

Medium Priority Notes

Summary Table

Patching and Mitigation Recommendations

• HotNews: Deploy Security Note #3600840 immediately. Review S_RFC role assignments post-patch.

• High Priority: Patch GRC, BW, BI, Visual Composer, and MDM without delay.

• Medium: Integrate into routine update cycles.

• Mitigation: Where unable to update, isolate vulnerable services, enforce stricter RFC authorization (SACF), and enhance logging and monitoring, especially for Visual Composer and RFC access paths.

Final Thoughts

June 2025 Patch Day brings a shifted threat landscape: one critical HotNews and GRC, BW, BI Workspace, Visual Composer, and MDM at the high end. The persistence of Visual Composer vulnerabilities is especially worrying. 
 
Action Plan for SAP Security Teams is the following: 
1. Immediately apply HotNews fix and verify S_RFC permissions. 
2. Proceed to high-priority patches for GRC, BW, BI, Visual Composer, and MDM. 
3. Prioritize medium-rated vulnerabilities based on internal exposure. 
4. Harden access to RFC endpoints, visualize Composer, and BI Workspace. 
5. Leverage external threat intel and automated patch tools to minimize response time. 
 
Act quickly to maintain resilience – June’s patch cycle reinforces the urgency of comprehensive, prompt SAP security maintenance.