SAP February 2025 Security Patch Day

SAP has released a patch that fixes several vulnerabilities affecting multiple SAP products such as SAP NetWeaver, SAP BusinessObjects Business Intelligence platform, SAP Supplier Relationship Management, SAP Approuter, SAP Enterprise Project Connection, SAP HANA, SAP Commerce and SAP Commerce Cloud, SAP GUI for Windows and SAP Fiori Apps Reference Library.

The attacker could exploit some of these vulnerabilities to bypass security restrictions, obtain sensitive information, perform cross-site scripting attacks, manipulate data, or gain access to the affected systems.

Sample of the addressed vulnerabilities:

1. SAP NetWeaver AS Java (User Admin Application) Cross-Site Scripting in Vulnerability (CVE-2024-22126):

• CVSS: 8.8
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: Required
• Consequences: Cross-Site Scripting

2. SAP Approuter Authentication Bypass Via Authorization Code Injection Vulnerability (CVE-2025-24876):

• CVSS: 8.1
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: Required
• Consequences: Gain Access