SAP Security Update: 19 Vulnerabilities Fixed Across Multiple Products

In today’s world of information technology, cybersecurity has become more critical than ever. SAP has released its February 2025 security update, addressing 19 newly discovered vulnerabilities across its product suite.

This update fixes critical security issues in platforms such as SAP NetWeaver, SAP BusinessObjects, SAP Commerce, and others. The vulnerabilities include cross-site scripting (XSS), authentication bypasses, and improper authorization flaws. SAP strongly advises users to apply these updates as soon as possible, as attackers could exploit these vulnerabilities for various malicious activities.

Among the security patches released by SAP, several critical vulnerabilities stand out. Below are some of the most important ones:

Cross-Site Scripting (XSS) in SAP NetWeaver AS Java (CVE-2024-22126)

A critical vulnerability, CVE-2024-22126, has been identified in SAP NetWeaver AS Java (User Admin Application) version 7.50. This XSS vulnerability, rated 8.8 on the CVSS scale, allows attackers to inject malicious scripts into web applications, potentially compromising user data and system integrity. Immediate patching is required to mitigate this risk.

Improper Authorization in SAP BusinessObjects BI Platform (CVE-2025-0064)

A vulnerability identified as CVE-2025-0064 has been found in the Central Management Console of SAP BusinessObjects BI Platform, affecting versions ENTERPRISE 430 and 2025. This flaw, rated 8.7 on the CVSS scale, results from improper authorization mechanisms, enabling attackers to gain unauthorized access to sensitive information.

Path Traversal in SAP Supplier Relationship Management (CVE-2025-25243)

CVE-2025-25243, a path traversal vulnerability, was discovered in the Master Data Management Catalog of SAP Supplier Relationship Management (SRM_MDM_CAT 7.52). With a CVSS score of 8.6, this flaw allows attackers to manipulate file paths, potentially leading to unauthorized access or data corruption.

Authentication Bypass in SAP Approuter (CVE-2025-24876)

A critical vulnerability, CVE-2025-24876, affects the SAP Approuter library, versions 2.6.1 through 16.7.1. This authentication bypass flaw, rated 8.1 on the CVSS scale, enables attackers to bypass authentication mechanisms by injecting malicious authorization codes, putting application security at serious risk.

Multiple Vulnerabilities in SAP Enterprise Project Connection (CVE-2024-38819)

Multiple vulnerabilities, collectively identified as CVE-2024-38819, have been found in SAP Enterprise Project Connection version 3.0. This issue, with a CVSS score of 7.5, encompasses security flaws that could impact system availability and data confidentiality.

Medium and Low-Risk Vulnerabilities

In addition to high-priority vulnerabilities, SAP has also addressed the following medium- and low-risk security issues:

• Open Redirect in SAP HANA extended application services (CVE-2025-24868) – CVSS: 7.1
• Missing Clickjacking Protection in SAP Commerce Backoffice (CVE-2025-24874) – CVSS: 6.8
• Information Disclosure in SAP NetWeaver Application Server ABAP (CVE-2025-23193) – CVSS: 5.3
• Cache Poisoning in SAP Fiori for ERP (CVE-2025-23191) – CVSS: 3.1

Recommended Security Measures

SAP recommends users take the following actions to protect their systems:

✅ Apply updates immediately – Install the latest SAP security patches to close identified vulnerabilities.
✅ Enhance system monitoring – Implement tools to detect suspicious activities within SAP environments.
✅ Conduct regular security audits – Perform system audits to identify and mitigate potential threats.
✅ Educate users and administrators – Raise awareness about phishing attacks and malicious links.

SAP releases security updates every month to enhance the security of its products. The February 2025 update includes critical patches aimed at preventing cyberattacks and safeguarding user data.

Organizations should prioritize applying these patches as soon as possible and conduct regular security assessments to maintain system integrity. Failure to do so could leave vulnerable systems exposed to cybercriminals. In the modern era of information security, vigilance and timely updates must be a top priority for every business.