SAP Patch Tuesday May 2025

SAP has released its May 2025 Patch Tuesday security updates, addressing 16 newly identified vulnerabilities and providing updates to two previously published security notes. These patches cover SAP NetWeaver, SAP S/4HANA, SAP Business Objects, and SAP Supplier Relationship Management (SRM), mitigating risks associated with remote code execution (RCE), privilege escalation, data breaches, and unauthorized system access.

Among the vulnerabilities fixed, CVE-2025-31324, a critical remote code execution flaw in SAP NetWeaver Visual Composer, stands out as an actively exploited zero-day vulnerability, requiring immediate attention. Organizations using SAP products must apply these patches promptly to protect sensitive business data and maintain operational security.

1. Overview of SAP May 2025 Security Updates

Total Vulnerabilities Patched

• Newly Addressed Vulnerabilities: 16
• Previously Updated Security Notes: 2
• Critical Vulnerabilities: 2
• High-Severity Vulnerabilities: 5
• Medium-Severity Vulnerabilities: 9

Zero-Day Vulnerability Patched

CVE-2025-31324 – SAP NetWeaver Visual Composer Remote Code Execution (RCE)

• CVSS Score: 10.0 (Critical)
• Affected Component: Metadata Uploader in SAP NetWeaver Visual Composer
• Impact: Enables unauthenticated remote attackers to upload malicious executable files, leading to system compromise and data theft.
• Exploitation Details:
• The vulnerability originates from insufficient input validation in SAP NetWeaver’s file upload mechanism.
• Attackers leverage this flaw to deploy JSP webshells, granting persistent backdoor access to the compromised server.
• The vulnerability was actively exploited since January 2025, primarily in attacks against manufacturing, retail, and financial institutions.

2. Affected SAP Products & Vulnerabilities

Critical Vulnerabilities

CVE-2025-31324 – SAP NetWeaver Visual Composer (RCE via Arbitrary File Upload)

• Affected Versions: VCFRAMEWORK 7.50 and earlier
• Patch Released: May 14, 2025
• Mitigation Recommendation:
  ✅ Apply SAP Security Patch immediately.
  ✅ Restrict unauthorized access to Visual Composer endpoints.
  ✅ Implement application-layer monitoring to detect suspicious file uploads.

CVE-2025-42999 – SAP NetWeaver Visual Composer (Insecure Deserialization)

• CVSS Score: 9.1 (Critical)
• Affected Versions: VCFRAMEWORK 7.50
• Impact: Allows attackers to execute arbitrary code via crafted serialized objects, leading to privilege escalation and unauthorized system control.
• Patch Recommendation: Organizations must disable unsafe deserialization functions and apply security patches immediately.

High-Severity Vulnerabilities

CVE-2025-30018 – SAP Supplier Relationship Management (SRM) Live Auction Cockpit Security Bypass

• CVSS Score: 8.6 (High)
• Affected Versions: SRM_SERVER 7.14
• Impact: Allows unauthorized manipulation of auction transactions, potentially leading to financial fraud.

CVE-2025-43010 – SAP S/4HANA Cloud Private Edition (Code Injection)

• CVSS Score: 8.3 (High)
• Affected Versions: S4CORE 102-108, SCM_BASIS 700-714
• Impact: Enables attackers to inject malicious code into the SCM Master Data Layer (MDL), compromising supply chain security.

CVE-2025-43000 – SAP Business Objects Business Intelligence Platform (Information Disclosure)

• CVSS Score: 7.9 (High)
• Affected Versions: ENTERPRISE 430, 2025, 2027
• Impact: Unauthorized access to sensitive business intelligence reports, enabling data exfiltration attacks.

Medium-Severity Vulnerabilities

• CVE-2025-31329 – SAP NetWeaver Application Server ABAP (Information Disclosure)
• CVE-2025-43003 – SAP S/4HANA (Private Cloud & On-Premise) Information Disclosure
• CVE-2025-43009 – SAP Service Parts Management (Missing Authorization Check)

3. Exploitation & Attack Methods

Active Exploitation of CVE-2025-31324

• Cybersecurity analysts have reported confirmed attacks leveraging CVE-2025-31324, primarily targeting SAP NetWeaver Visual Composer servers exposed to the internet.
• Affected industries include energy, utilities, finance, media, pharmaceuticals, and government agencies.
• The attack method typically involves:
• Uploading malicious JSP webshells to vulnerable endpoints.
• Privilege escalation via insecure deserialization flaws.
• Data exfiltration using remote execution payloads.

Observed Attack Techniques

• Remote Code Execution (RCE) – Exploiting file upload weaknesses in SAP NetWeaver to gain remote access.
• Privilege Escalation – Using deserialization exploits to increase access privileges.
• Data Theft & Intelligence Gathering – Leveraging vulnerabilities in SAP Business Objects to steal sensitive reports.

4. Recommended Security Measures for SAP Administrators

A. Apply Security Updates Immediately

✅ Install SAP Security Notes using SAP Solution Manager.
✅ Update SAP NetWeaver, SAP S/4HANA, and SAP Business Objects.

B. Restrict Access to Vulnerable Components

🔹 Disable Visual Composer endpoints unless required.
🔹 Implement firewall rules to prevent unauthorized access.

C. Enable Intrusion Detection & Monitoring

🔸 Deploy Intrusion Detection Systems (IDS) to detect suspicious SAP activity.
🔸 Audit logs for unauthorized webshell uploads or access attempts.

D. Strengthen Authorization Controls

🔹 Enforce multi-factor authentication (MFA) for all SAP administrative accounts.
🔹 Implement role-based access control (RBAC) to limit privilege escalation.

5. Conclusion

The May 2025 SAP Patch Tuesday update is critical for securing SAP NetWeaver, S/4HANA, and Business Objects environments. With 16 vulnerabilities patched, including actively exploited zero-day flaws, organizations must prioritize updates to mitigate risks.

Ignoring these security patches could result in data breaches, financial loss, and operational disruptions, making it crucial for SAP administrators to apply updates immediately.

🔗 Official SAP Security Patch Notes: Read more