SAP has fastened two essential vulnerabilities affecting NetWeaver internet software server that may very well be exploited to escalate privileges and entry restricted data.
As a part of the January Safety Patch Day, the seller additionally launched updates for different merchandise to patch 12 further points rated with medium and excessive severity.
“SAP strongly recommends that the shopper visits the Assist Portal and applies patches on precedence to guard their SAP panorama,” reads the corporate’s safety bulletin.
The 4 most extreme safety downside SAP addressed this month are summarized as follows:
- CVE-2025-0070, essential severity, 9.9 rating): Improper authentication in SAP NetWeaver Software Server for ABAP and ABAP Platform permits an authenticated attacker to use improper authentication checks, leading to privilege escalation and considerably impacting confidentiality, integrity, and availability.
- CVE-2025-0066, essential severity, 9.9 rating: Info disclosure vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform (Web Communication Framework) happens attributable to weak entry controls, enabling an attacker to entry restricted data and considerably compromising confidentiality, integrity, and availability.
- CVE-2025-0063, excessive severity, 8.8 rating: SQL injection vulnerability in SAP NetWeaver AS ABAP and ABAP Platform arises from a scarcity of authorization checks for sure RFC perform modules. This enables an attacker with fundamental privileges to compromise an Informix database, main to a whole lack of confidentiality, integrity, and availability.
- CVE-2025-0061, excessive severity, 8.7 rating: A number of vulnerabilities in SAP BusinessObjects Enterprise Intelligence Platform enable an unauthenticated attacker to carry out session hijacking over the community attributable to an data disclosure difficulty. This permits the attacker to entry and modify all software information.
Affect and proposals
SAP merchandise serve giant enterprises throughout industries akin to manufacturing, finance, retail, healthcare, and authorities, fulfilling essential roles for managing enterprise operations and buyer relations.
SAP NetWeaver is a core platform for operating ABAP functions and enabling safe communication by way of the Web Communication Framework. It’s usually utilized by IT directors, builders, and consultants in enterprises managing ERP programs for finance, HR, and provide chain.
SAP BusinessObjects is a platform for reporting, analytics, and information visualization utilized by analysts, decision-makers, and IT groups to derive insights and assist strategic selections.
Hackers up to now have focused SAP merchandise that had not been up to date to deal with recognized vulnerabilities or have been improperly configured, leaving networks uncovered to breaches.
The German vendor strongly recommends that prospects apply the most recent patches accessible to guard their SAP surroundings.