SAP announced the release of 27 new and four updated security notes as part of its July 2025 Security Patch Day on Tuesday, July 8, 2025. This comprehensive update addresses a range of vulnerabilities across SAP’s product portfolio, including six critical flaws that could have significant security implications for organizations worldwide.
Major Security Enhancements
The July 2025 security release is particularly notable for the number and severity of vulnerabilities addressed. Among the 31 total notes (27 new and 4 updated), six have been classified as critical, with several carrying a CVSS (Common Vulnerability Scoring System) score of 9.1 or higher. These vulnerabilities impact widely deployed SAP solutions, including S/4HANA, NetWeaver, Enterprise Portal, and the Live Auction Cockpit module.
Critical Vulnerabilities Overview
The following table highlights the most severe vulnerabilities addressed in this patch cycle:
| CVE Identifier | Affected Product/Component | CVSS Score | Vulnerability Type | Description |
|---|---|---|---|---|
| CVE-2025-30012 | SAP Supplier Relationship Management (Live Auction Cockpit) | 10.0 | Multiple (RCE, Auth Bypass) | Allows complete system compromise via multiple flaws. |
| CVE-2025-42967 | SAP S/4HANA, SAP SCM (Characteristic Propagation) | 9.1 | Code Injection | Attackers can inject malicious code and gain full control. |
| CVE-2025-42980 | SAP NetWeaver Enterprise Portal (Federated Portal Network) | 9.1 | Insecure Deserialization | Privileged users can upload malicious content, leading to full system compromise. |
| CVE-2025-42964 | SAP NetWeaver Enterprise Portal (Administration) | 9.1 | Insecure Deserialization | Admins can upload payloads to execute arbitrary code. |
| CVE-2025-42966 | SAP NetWeaver J2EE-APPS (XML Data Archiving Service) | 9.1 | Insecure Java Deserialization | Authenticated admins can take over the server. |
| CVE-2025-42963 | SAP NetWeaver Application Server Java (Log Viewer) | 9.1 | Unsafe Object Deserialization | Admins can compromise the OS and gain complete control. |
Key Takeaways and Recommendations
- Immediate Action Required: SAP strongly urges all customers to apply the latest patches, particularly for internet-facing systems and those running the affected components.
- Prioritization: Organizations should prioritize remediation of the six critical vulnerabilities, as exploitation could result in remote code execution, privilege escalation, or full system compromise.
- Ongoing Vigilance: Regular review and prompt implementation of SAP Security Notes are essential to maintaining a secure SAP environment.
SAP Security Patch Day – July 2025 (Complete List)
SAP strongly recommends that the customer visits the Support Portal and applies patches on priority to protect their SAP landscape.
| Note# | Title | Priority | CVSS |
|---|---|---|---|
| 3578900 | Update to Security Note released on May 2025 Patch Day:[CVE-2025-30012] Multiple vulnerabilities in SAP Supplier Relationship Management (Live Auction Cockpit) Related CVE – CVE-2025-30009, CVE-2025-30010, CVE-2025-30011, CVE-2025-30018(opens in new tab)Product – SAP Supplier Relationship Management (Live Auction Cockpit) Version – SRM_SERVER 7.14 | Critical | 10.0 |
| 3618955 | [CVE-2025-42967] Code Injection vulnerability in SAP S/4HANA and SAP SCM (Characteristic Propagation) Product – SAP S/4HANA and SAP SCM (Characteristic Propagation) Versions – SCMAPO 713, 714, S4CORE 102, 103, 104, S4COREOP 105, 106, 107, 108, SCM 700, 701, 702, 712 | Critical | 9.9 |
| 3620498 | [CVE-2025-42980] Insecure Deserialization in SAP NetWeaver Enterprise Portal Federated Portal Network Product – SAP NetWeaver Enterprise Portal Federated Portal Network Version – EP-RUNTIME 7.50 | Critical | 9.1 |
| 3621236 | [CVE-2025-42964] Insecure Deserialization in SAP NetWeaver Enterprise Portal AdministrationProduct – SAP NetWeaver Enterprise Portal AdministrationVersion – EP-RUNTIME 7.50 | Critical | 9.1 |
| 3610892 | [CVE-2025-42966] Insecure Deserialization vulnerability in SAP NetWeaver (XML Data Archiving Service) Product – SAP NetWeaver (XML Data Archiving Service) Versions – J2EE-APPS 7.50 | Critical | 9.1 |
| 3621771 | [CVE-2025-42963] Insecure Deserialization in SAP NetWeaver Application Server for Java (Log Viewer ) Product – SAP NetWeaver Application Server for Java (Log Viewer ) Version – LMNWABASICAPPS 7.50 | Critical | 9.1 |
| 3600846 | [CVE-2025-42959] Missing Authentication check after implementation of SAP Security Note 3007182 and 3537476 Product – SAP NetWeaver ABAP Server and ABAP Platform Versions – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 914, SAP_BASIS 915 | High | 8.1 |
| 3623440 | [CVE-2025-42953] Missing Authorization check in SAP NetWeaver Application Server for ABAPProduct – SAP NetWeaver Application Server for ABAP Versions – SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816 | High | 8.1 |
| 3565279 | [CVE-2024-53677] Insecure File Operations vulnerability in SAP Business Objects Business Intelligence Platform (CMC)Product- SAP Business Objects Business Intelligence Platform (CMC)Version – ENTERPRISE 430, 2025 | High | 8.0 |
| 3623255 | [CVE-2025-42952] Missing Authorization check in SAP Business Warehouse and SAP Plug-In BasisProduct – SAP Business Warehouse and SAP Plug-In Basis Versions – PI_BASIS 2006_1_700, 701, 702, 731, 740, SAP_BW 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 816 | High | 7.7 |
| 3610591 | Update to Security Note released on June 2025 Patch Day: [CVE-2025-42977] Directory Traversal vulnerability in SAP NetWeaver Visual ComposerProduct – SAP NetWeaver Visual Composer Version – VCBASE 7.50 | High | 7.6 |
| 3595143 | [CVE-2025-43001] Multiple Privilege Escalation Vulnerabilities in SAPCARCVEs – CVE-2025-42992Product – SAPCAR Versions – SAP_CAR 7.53, 7.22EXT | Medium | 6.9 |
| 3580384 | Update to Security Note released on June 2025 Patch Day: [CVE-2025-42993] Missing Authorization Check in SAP S/4HANA (Enterprise Event Enablement) Product – SAP S/4HANA (Enterprise Event Enablement) Versions – SAP_GWFND 757, 758 | Medium | 6.7 |
| 3577300 | Update to Security Note released on May 2025 Patch Day: [CVE-2025-42997] Information Disclosure vulnerability in SAP Gateway Client Product – SAP Gateway Client Versions – SAP_GWFND 752, 753, 754, 755, 756, 757, 758 | Medium | 6.6 |
| 3617131 | [CVE-2025-42981] Multiple vulnerabilities in SAP NetWeaver Application Server ABAPCVE – CVE-2025-42956 Product – SAP NetWeaver Application Server ABAP Versions – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816 | Medium | 6.1 |
| 3596987 | [CVE-2025-42969] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP and ABAP PlatformProduct- SAP NetWeaver Application Server ABAP and ABAP Platform Version – SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758 | Medium | 6.1 |
| 3604212 | [CVE-2025-42962] Cross-Site Scripting (XSS) vulnerability in SAP Business Warehouse (Business Explorer Web 3.5 loading animation) Product – SAP Business Warehouse (Business Explorer Web 3.5 loading animation) Versions – DW4CORE 100, 200, 300, 400, 916, SAP_BW 730, 731, 740, 750, 751, 752, 753, 754, 756, 757, 758 | Medium | 6.1 |
| 3617380 | [CVE-2025-42985] Open Redirect vulnerability in SAP BusinessObjects Content Administrator workbench Product – SAP BusinessObjects Content Administrator workbench Versions – DW4CORE 100, 200, 300, 400, SAP_BW 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 816, SAP_BW_VIRTUAL_COMP 701 | Medium | 6.1 |
| 3595156 | [CVE-2025-42970] Directory Traversal vulnerability in SAPCAR Product – SAPCAR Versions – SAP_CAR 7.53, 7.22EXT | Medium | 5.8 |
| 3607513 | [CVE-2025-42979] Insecure Key & Secret Management vulnerability in SAP GUI for Windows Product – SAP GUI for WindowsVersions – BC-FES-GUI 8.00 | Medium | 5.6 |
| 3606103 | [CVE-2025-42973] Cross-Site Scripting (XSS) vulnerability in SAP Data Services (DQ Report) Product – SAP Data Services (DQ Report) Version – SBOP_DS_MANAGEMENT_CONSOLE 4.3, 2025 | Medium | 5.4 |
| 3621037 | [CVE-2025-42968] Missing Authorization check in SAP NetWeaver (RFC enabled function module) Product – SAP NetWeaver (RFC enabled function module) Versions – SAP_BW 700, 701, 702, 710, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 816, 914, 916 | Medium | 5.0 |
| 3610322 | [CVE-2025-42961] Missing Authorization check in SAP NetWeaver Application Server for ABAP Product – SAP NetWeaver Application Server for ABAP Version – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816 | Medium | 4.9 |
| 3608991 | [CVE-2025-42960] Missing Authorization Check in SAP Business Warehouse and SAP BW/4HANA BEx Tools Product – SAP Business Warehouse and SAP BW/4HANA BEx Tools Version – DW4CORE 100, 200, 300, 400, SAP_BW 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 816, SAP_BW_VIRTUAL_COMP 701 | Medium | 4.3 |
| 3626440 | [CVE-2025-42986] Missing Authorization check in SAP NetWeaver and ABAP Platform Product – SAP NetWeaver and ABAP Platform Versions – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754 | Medium | 4.3 |
| 3610056 | [CVE-2025-42974] Missing Authorization Check in SAP NetWeaver and ABAP Platform (SDCCN) Product- SAP NetWeaver and ABAP Platform (SDCCN) Version – ST-PI 2008_1_700, 2008_1_710, 740 | Medium | 4.3 |
| 3573199 | [CVE-2025-31326] HTML Injection vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence) Product- SAP BusinessObjects Business Intelligence Platform (Web Intelligence) Version – ENTERPRISE 430, 2025, 2027, ENTERPRISECLIENTTOOLS 430, 2025, 2027 | Medium | 4.1 |
| 3598118 | [CVE-2025-42965] Server Side Request Forgery(SSRF) vulnerability in SAP BusinessObjects BI Platform Central Management Console Promotion Management Application Product- SAP BusinessObjects BI Platform Central Management Console Promotion Management Application Version – ENTERPRISE 430, 2025, 2027 | Medium | 4.1 |
| 3595141 | [CVE-2025-42971] Memory Corruption vulnerability in SAPCAR Product- SAPCAR Version – SAP_CAR 7.53, 7.22EXT | Medium | 4.0 |
| 3557179 | [CVE-2025-42978] Insufficiently Secure Hostname Verification for Outbound TLS Connections in SAP NetWeaver Application Server Java Product- SAP NetWeaver Application Server Java Version – ENGINEAPI 7.50 | Low | 3.5 |
| 3608156 | [CVE-2025-42954] Denial of service (DOS) in SAP NetWeaver Business Warehouse (CCAW application) Product- SAP NetWeaver Business Warehouse (CCAW application) Version – DW4CORE 100, 200, 300, 400, SAP_BW 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 816, SAP_BW_VIRTUAL_COMP 701 | Low | 2.7 |
