![Pathlock CEO Piyush Pandey on Reshaping Application Access Governance: Insights from KuppingerCole Reports](https://pathlock.com/wp-content/uploads/2023/08/KC_Report_Piyush_insights-112x112.jpg")
![Pathlock Reshapes the Access Governance Market with a Series of Strategic Mergers](https://pathlock.com/wp-content/uploads/2022/05/MicrosoftTeams-image-7-112x112.png")
SAP Patch Day May 2025: Key Security Updates in Focus
SAP has released 18 Security Notes on May 13, 2025, including 16 new notes and 2 updates to previously published advisories. The May release addresses a broad spectrum of vulnerabilities, ranging from critical authorization issues to remote code execution, information disclosure, and cross-site scripting.
Two particularly dangerous flaws affect SAP NetWeaver Visual Composer, both with CVSS scores over 9.0. Additionally, critical vulnerabilities are present in SAP S/4HANA, Business Objects, and Live Auction Cockpit.
Let’s examine the most significant updates in this month’s release.
CVE-2025-31324 – Missing Authorization Check in SAP NetWeaver Visual Composer
This critical vulnerability (CVSS 10.0) allows unauthenticated users to upload malicious executables to the Visual Composer development server. If exploited, this can lead to complete system compromise, including data theft and service disruption. The fix applies to VCFRAMEWORK 7.50 and must be implemented immediately. This note updates the April 2025 Patch Day release.
CVE-2025-42999 – Insecure Deserialization in SAP NetWeaver Visual Composer
Following up on the previous issue, this separate but related vulnerability (CVSS 9.1) allows privileged users to exploit insecure deserialization and potentially execute malicious code on the host system. SAP has removed the vulnerable deserialization logic and recommends optional integration with Virus Scan Interface (VSI). Organizations using SAP NetWeaver Visual Composer should apply this patch in parallel with CVE-2025-31324.
CVE-2025-30018 – Multiple Vulnerabilities in SAP SRM Live Auction Cockpit
A set of five vulnerabilities affect the Live Auction Cockpit in SAP SRM (CVSS up to 8.6), including: Blind XXE, Reflected XSS, Open Redirect, Information Disclosure, and Insecure Deserialization. These stem from deprecated Java applets and can be exploited without authentication. Organizations using SRM 7.14 should decommission the Java applet components and follow SAP Note guidance for safe configurations.
CVE-2025-43010 – Code Injection in SAP S/4HANA SCM Master Data Layer
With a CVSS score of 8.3, this vulnerability allows low-privileged users to remotely inject ABAP code that can modify or destroy system programs. The vulnerable function module has been deprecated. Affected are both on-premise and private cloud installations across multiple S4CORE and SCM_BASIS versions.
CVE-2025-43000 – Information Disclosure in SAP BusinessObjects PMW
This vulnerability (CVSS 7.9) in the Promotion Management Wizard (PMW) allows attackers to access restricted files. SAP recommends isolating PMW installations and patching all relevant servers. Affected systems include SAP BusinessObjects Enterprise versions 430, 2025, and 2027.
CVE-2025-43011 – Missing Authorization in SAP Landscape Transformation (PCL)
A missing authorization check in the PCL Basis module allows low-privileged users to access restricted transformation functions (CVSS 7.7). This vulnerability affects a wide range of DMIS and S4CORE versions, and can expose sensitive business process data.
CVE-2024-39592 – SAP PDCE (Update to July 2024 Note)
An updated fix addresses a high-severity (CVSS 7.7) authorization bypass in SAP PDCE, affecting business analytics components. This is an update to a previously released note from July 2024 and extends support for newer SP levels.
Other Medium-Priority Vulnerabilities
| CVE | Product / Description | CVSS |
|---|---|---|
| CVE-2025-42997 | SAP Gateway Client – Info disclosure via crafted OData requests | 6.6 |
| CVE-2025-43003 | SAP S/4HANA CRM – Sensitive fields exposed via UI manipulation | 6.4 |
| CVE-2025-43009 / -43007 | SAP SPM – Authorization flaws in Service Parts Management (RFC/Batch replication) | 6.3 |
| CVE-2025-31329 | SAP NetWeaver AS ABAP – Admin user can leak credentials via SM59 injection | 6.2 |
| CVE-2025-43006 | SAP SRM MDM Catalog – XSS via malformed input | 6.1 |
| CVE-2025-43008 | SAP HCM Portugal – View employee data without authorization | 5.8 |
| CVE-2025-43004 | SAP Digital Manufacturing – POD misconfiguration exposes data | 5.3 |
| CVE-2025-26662 | SAP Data Services Console – XSS on management interface | 4.4 |
| CVE-2025-43002 | SAP S/4HANA OData – Meta-data property lacks authorization check | 4.3 |
| CVE-2025-43005 | SAP GUI for Windows – Credential leak due to weak obfuscation in GuiXT | 4.3 |
Patching and Mitigation Recommendations
• Patch all Critical and High CVSS vulnerabilities immediately.
• For Medium CVSS vulnerabilities, prioritize based on business exposure and ease of exploitation.
• Where updates aren’t possible, mitigation strategies like disabling vulnerable components, isolating services (e.g., PMW), and enforcing stricter RFC authorization checks (via SACF) are recommended.
Final Thoughts
May 2025’s SAP Patch Day highlights several serious vulnerabilities in legacy UI components, authorization frameworks, and interface layers. With two CVEs at or near the maximum CVSS score, and multiple system-level flaws, timely patching is imperative.
Organizations are encouraged to perform thorough system reviews, deprecate outdated Java-based components (such as those in Live Auction Cockpit), and adopt SAP’s recommended hardening practices.
