SAP Patch Tuesday August 2025

SAP Patch Tuesday August 2025

1

SAP’s August 2025 Patch Tuesday addresses 25–26 security issues with an emphasis on several critical vulnerabilities involving code injection and insecure deserialization. The updates protect key SAP products such as S/4HANA, Landscape Transformation, NetWeaver, and Business One. Below is a detailed technical explanation of the highest-risk vulnerabilities along with system context and exploitation considerations.

Critical Vulnerabilities with Detailed Notes

CVE-2025-42957 (SAP S/4HANA, Private Cloud/On-Premise)

  • Type: Code Injection
  • Severity: CVSS 9.9
  • SAP Note: 3627998
  • Technical details:
    This vulnerability exists in a remote-enabled RFC function module that fails to properly validate input. It allows any authenticated SAP user to submit crafted payloads that inject and execute arbitrary ABAP code within the system.
  • Context & Impact:
    Since many deployments expose this RFC by default, attackers with minimal privileges can effectively commandeer the entire SAP instance. The injected code can be used to manipulate sensitive data, create persistent backdoors, or disable critical operations.
  • Exploitation notes:
    No user interaction or elevated privileges beyond valid login are required. This lowers the complexity and increases risk from insider threats or remote attackers with stolen credentials.

CVE-2025-42950 (SAP Landscape Transformation, Analysis Platform)

  • Type: Code Injection
  • Severity: CVSS 9.9
  • SAP Note: 3633838
  • Technical details:
    Similar to CVE-42957, this flaw exists in an RFC function module allowing improper input processing that leads to code injection. Local users or compromised accounts can exploit it to execute malicious ABAP code.
  • Context & Impact:
    Often, SAP Landscape Transformation is used in data migration. Exploiting this flaw could corrupt business-critical data, stealthily alter migration outcomes, or provide attackers with escalated access across SAP systems.
  • Exploitation notes:
    Since this involves internal credentials and landscape functions, insider threats and attackers who gain network footholds pose significant risks.

CVE-2025-27429 (SAP S/4HANA, April patch extended)

  • Type: Code Injection
  • Severity: CVSS 9.9
  • SAP Note: 3581961 (updated)
  • Technical details:
    A related code injection flaw originally addressed in April 2025 is further mitigated in this Update. The vulnerability permits attackers to execute arbitrary ABAP code remotely through improperly sanitized inputs.
  • Exploitation notes: Evidence of ongoing exploitation heightens urgency for patching.

CVE-2025-42966 (SAP NetWeaver XML Data Archiving Service)

  • Type: Insecure Deserialization
  • Severity: CVSS 9.1
  • SAP Note: 3610892
  • Technical details:
    This vulnerability stems from unsafe deserialization of untrusted XML input, allowing attackers to craft payloads that influence internal logic and elevate privileges or achieve remote code execution at the SAP kernel level.
  • Impact:
    Attackers can issue operating system commands or pivot within the SAP network environment, compromising other critical systems or services.
  • Exploitation notes: Exposure via web services increases the risk from external attackers pushing malicious XML payloads.

Other Noteworthy Vulnerabilities

  • Broken Authorization in SAP Business One (CVE-2025-42951, CVSS 8.8):
    Authenticated attackers can elevate privileges to database admin via a vulnerable API endpoint, enabling data theft or alteration.
  • Multiple vulnerabilities in SAP NetWeaver Application Server ABAP (CVE-2025-42976, CVSS 8.1):
    Include unauthorized data access and action execution across vital business modules.

    Urgent Recommendations

    • Apply all SAP HotNews and security notes immediately, especially those for S/4HANA, Landscape Transformation, and NetWeaver, after proper testing in controlled environments.
    • Restrict and monitor RFC access to trusted systems only.
    • Implement continuous monitoring for unusual ABAP execution activities or unexpected creation of privileged accounts.
    • Harden SAP environments by reviewing user privileges and locking down APIs that expose sensitive function modules.
    • Prioritize patching where evidence of active exploitation or automated attacks exists to minimize risk exposure.

    Failing to address these vulnerabilities leaves critical SAP systems vulnerable to full compromise by both insider threats and external attackers, with a high chance of severe operational, financial, and reputational harm. Immediate remediation is essential to secure business-critical processes and data.

    Tags:

    1 Comment

    Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.