- 122/2025
- Critical
SAP has released security updates to address several vulnerabilities affecting multiple SAP products.
SAP has released a critical patch that fixes several vulnerabilities affecting multiple SAP products such as SAP NetWeaver, SAP S/4 HANA, SAP GRC, SAP Business Warehouse, SAP Plug-In Basis, SAP BusinessObjects Business Intelligence, SAP MDM Server, SAP Business One Integration Framework and SAPUI5 applications.
The attacker could exploit some of these vulnerabilities to perform cross-site scripting attacks, gain elevated privileges, obtain sensitive information, bypass security restrictions, conduct server-side request forgery attacks, manipulate data, or gain access to the affected product.
Sample of the addressed vulnerabilities:
1. Missing Authorization Check in SAP NetWeaver Application Server for ABAP Vulnerability (CVE-2025-42989):
- CVSS: 9.6
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Gain Privileges
2. SAP GRC (AC Plugin) Information Disclosure Vulnerability (CVE-2025-42982):
- CVSS: 8.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Obtain Information
Vulnerabilities
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.