- 89/2025
- Critical
SAP has released security updates to address several vulnerabilities affecting SAP NetWeaver, SAP S/4 HANA, and SAP Field Logistics.
The addressed vulnerabilities could allow the attacker to perform cross-site request forgery attacks, manipulate data, or execute arbitrary code and gain access to the affected product.
Sample of the addressed vulnerabilities:
1. Missing Authorization Check in SAP NetWeaver (Visual Composer Development Server) Vulnerability (CVE-2025-31324):
- CVSS: 10
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
2. Cross-Site Request Forgery (CSRF) Vulnerability in SAP S/4 HANA (Learning Solution) (CVE-2025-31328):
- CVSS: 4.6
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Consequences: Cross-Site Request Forgery
Vulnerabilities
- CVE-2025-31324
- CVE-2025-27429
- CVE-2025-31330
- CVE-2025-31328
- CVE-2025-31327
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.