SAP has fastened two vital vulnerabilities affecting NetWeaver net software server that might be exploited to escalate privileges and entry restricted info.
As a part of the January Safety Patch Day, the seller additionally launched updates for different merchandise to patch 12 further points rated with medium and excessive severity.
“SAP strongly recommends that the shopper visits the Assist Portal and applies patches on precedence to guard their SAP panorama,” reads the corporate’s safety bulletin.
The 4 most extreme safety drawback SAP addressed this month are summarized as follows:
- CVE-2025-0070, vital severity, 9.9 rating): Improper authentication in SAP NetWeaver Utility Server for ABAP and ABAP Platform permits an authenticated attacker to use improper authentication checks, leading to privilege escalation and considerably impacting confidentiality, integrity, and availability.
- CVE-2025-0066, vital severity, 9.9 rating: Data disclosure vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform (Web Communication Framework) happens as a consequence of weak entry controls, enabling an attacker to entry restricted info and considerably compromising confidentiality, integrity, and availability.
- CVE-2025-0063, excessive severity, 8.8 rating: SQL injection vulnerability in SAP NetWeaver AS ABAP and ABAP Platform arises from a scarcity of authorization checks for sure RFC operate modules. This permits an attacker with fundamental privileges to compromise an Informix database, main to an entire lack of confidentiality, integrity, and availability.
- CVE-2025-0061, excessive severity, 8.7 rating: A number of vulnerabilities in SAP BusinessObjects Enterprise Intelligence Platform permit an unauthenticated attacker to carry out session hijacking over the community as a consequence of an info disclosure situation. This allows the attacker to entry and modify all software knowledge.
Affect and suggestions
SAP merchandise serve giant enterprises throughout industries similar to manufacturing, finance, retail, healthcare, and authorities, fulfilling vital roles for managing enterprise operations and buyer relations.
SAP NetWeaver is a core platform for operating ABAP functions and enabling safe communication by way of the Web Communication Framework. It’s usually utilized by IT directors, builders, and consultants in enterprises managing ERP techniques for finance, HR, and provide chain.
SAP BusinessObjects is a platform for reporting, analytics, and knowledge visualization utilized by analysts, decision-makers, and IT groups to derive insights and assist strategic choices.
Hackers previously have focused SAP merchandise that had not been up to date to handle recognized vulnerabilities or have been improperly configured, leaving networks uncovered to breaches.
The German vendor strongly recommends that prospects apply the newest patches accessible to guard their SAP surroundings.