SAP April 2025 Security Patch Day

SAP has released a critical patch that fixes several vulnerabilities affecting multiple SAP products such as SAP S/4HANA (Private Cloud), SAP Financial Consolidation, SAP BusinessObjects Business Intelligence platform (Central Management Console), and SAP Landscape Transformation (Analysis Platform).

The attacker could exploit some of these vulnerabilities to inject and execute arbitrary code on the vulnerable products potentially leading to full system compromise, unauthorized access, data manipulation, or disruption of critical business operations.

Sample of the addressed vulnerabilities:

1. SAP S/4HANA (Private Cloud) Code Injection Vulnerability (CVE-2025-27429):

• CVSS: 9.9
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: Low
• User Interaction: None
• Consequences: Gain Access

2. SAP Financial Consolidation Authentication Bypass Vulnerability (CVE-2025-30016):

• CVSS: 9.8
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: None
• Consequences: Bypass Security