SAP has released its July 2025 Security Patch Day update, addressing a significant number of vulnerabilities across its enterprise software portfolio.
The comprehensive security update includes 27 new Security Notes and 3 updates to previously released patches, with seven vulnerabilities classified as critical based on their CVSS scores.
The most severe vulnerability, affecting SAP Supplier Relationship Management (Live Auction Cockpit), has received the maximum CVSS score of 10.0, indicating the urgent need for immediate patching across SAP environments worldwide.
Key Takeaways
1. SAP released 27 new Security Notes plus 3 updates on July 8, 2025.
2. Seven critical vulnerabilities identified, with CVE-2025-30012 scoring maximum CVSS 10.0.
3. Affects major SAP products including S/4HANA, NetWeaver, ABAP Platform, and SAPCAR.
4. Immediate patch deployment is recommended for critical authentication and injection vulnerabilities.
Critical SAP SRM Vulnerability (CVE-2025-30012)
The seven critical vulnerabilities identified in this patch cycle pose significant risks to SAP environments and require immediate administrative action.
The most severe threat comes from CVE-2025-30012, a multiple vulnerability issue in SAP Supplier Relationship Management (Live Auction Cockpit) affecting SRM_SERVER version 7.14.
The vulnerability is particularly concerning due to its maximum CVSS score of 10.0, indicating that it presents an extremely high risk to affected systems with potential for complete system compromise.
The vulnerability is part of a broader security concern that encompasses multiple related CVEs, including CVE-2025-30009, CVE-2025-30010, CVE-2025-30011, and CVE-2025-30018.
This interconnected nature suggests that the vulnerability affects multiple components or functions within the Live Auction Cockpit, potentially creating multiple attack vectors that malicious actors could exploit simultaneously.
Six Additional Critical Flaws
Six additional critical vulnerabilities, all scoring 9.1 on the CVSS scale, target various components of SAP’s infrastructure.
CVE-2025-42967 addresses a code injection vulnerability in SAP S/4HANA and SAP SCM (Characteristic Propagation), affecting multiple versions including SCMAPO 713-714, S4CORE 102-104, and S4COREOP 105-108.
The remaining critical vulnerabilities focus on insecure deserialization issues across SAP NetWeaver Enterprise Portal components, including CVE-2025-42980 in the Federated Portal Network, CVE-2025-42964 in Portal Administration, CVE-2025-42966 in XML Data Archiving Service, and CVE-2025-42963 in the Log Viewer application for Java environments.
High and Medium Severity Flaws
High-priority vulnerabilities include CVE-2025-42959, which addresses missing authentication checks in SAP NetWeaver ABAP Server and ABAP Platform across multiple SAP_BASIS versions ranging from 700 to 915.
This vulnerability scores 8.1 on the CVSS scale and affects a broad range of SAP installations.
Medium-priority vulnerabilities encompass a diverse range of security issues, including Cross-Site Scripting (XSS) vulnerabilities such as CVE-2025-42969 in SAP NetWeaver Application Server ABAP and CVE-2025-42962 in SAP Business Warehouse.
Directory traversal vulnerabilities affecting SAPCAR (CVE-2025-42970) and privilege escalation issues (CVE-2025-43001) further demonstrate the comprehensive nature of this security update.
The SAPCAR utility, essential for SAP package management, requires attention across versions 7.53 and 7.22EXT to address multiple security concerns including memory corruption (CVE-2025-42971) and insecure file operations.
| CVEs | Product | Type | CVSS 3.1 Score |
| CVE-2025-30012 | SAP Supplier Relationship Management (Live Auction Cockpit) | Multiple Vulnerabilities | 10.0 (Critical) |
| CVE-2025-42967 | SAP S/4HANA and SAP SCM (Characteristic Propagation) | Code Injection | 9.1 (Critical) |
| CVE-2025-42980 | SAP NetWeaver Enterprise Portal Federated Portal Network | Insecure Deserialization | 9.1 (Critical) |
| CVE-2025-42964 | SAP NetWeaver Enterprise Portal Administration | Insecure Deserialization | 9.1 (Critical) |
| CVE-2025-42966 | SAP NetWeaver (XML Data Archiving Service) | Insecure Java Deserialization | 9.1 (Critical) |
| CVE-2025-42963 | SAP NetWeaver Application Server for Java (Log Viewer) | Unsafe Java Deserialization | 9.1 (Critical) |
| CVE-2025-42959 | SAP NetWeaver ABAP Server and ABAP Platform | Missing Authentication Check | 8.1 (High) |
| CVE-2025-42953 | SAP NetWeaver Application Server for ABAP | Missing Authorization Check | 8.1 (High) |
| CVE-2024-53677 | SAP Business Objects Business Intelligence Platform (CMC) | Insecure File Operations | 8.0 (High) |
| CVE-2025-42952 | SAP Business Warehouse and SAP Plug-In Basis | Missing Authorization Check | 7.7 (High) |
| CVE-2025-42977 | SAP NetWeaver Visual Composer | Directory Traversal | 7.6 (High) |
| CVE-2025-43001 | SAPCAR | Multiple Privilege Escalation | 6.9 (Medium) |
| CVE-2025-42993 | SAP S/4HANA (Enterprise Event Enablement) | Missing Authorization Check | 6.7 (Medium) |
| CVE-2025-42981 | SAP NetWeaver Application Server ABAP | Multiple Vulnerabilities | 6.1(Medium) |
| CVE-2025-42969 | SAP NetWeaver Application Server ABAP and ABAP Platform | Cross-Site Scripting (XSS) | 6.1 (Medium) |
| CVE-2025-42962 | SAP Business Warehouse (Business Explorer Web 3.5 loading animation) | Cross-Site Scripting (XSS) | 6.1(Medium) |
| CVE-2025-42985 | SAP BusinessObjects Content Administrator workbench | Open Redirect | 6.1(Medium) |
| CVE-2025-42970 | SAPCAR | Directory Traversal | 5.8 (Medium) |
| CVE-2025-42979 | SAP GUI for Windows | Insecure Key & Secret Management | 5.6(Medium) |
| CVE-2025-42973 | SAP Data Services (DQ Report) | Cross-Site Scripting (XSS) | 5.4 (Medium) |
| CVE-2025-42968 | SAP NetWeaver (RFC enabled function module) | Missing Authorization Check | 5.0 (Medium) |
| CVE-2025-42961 | SAP NetWeaver Application Server for ABAP | Missing Authorization Check | 4.9 (Medium) |
| CVE-2025-42960 | SAP Business Warehouse and SAP BW/4HANA BEx Tools | Missing Authorization Check | 4.3 (Medium) |
| CVE-2025-42986 | SAP NetWeaver and ABAP Platform | Missing Authorization Check | 4.3 (Medium) |
| CVE-2025-42974 | SAP NetWeaver and ABAP Platform (SDCCN) | Missing Authorization Check | 4.3 (Medium) |
| CVE-2025-31326 | SAP BusinessObjects Business Intelligence Platform (Web Intelligence) | HTML Injection | 4.1 (Medium) |
| CVE-2025-42965 | SAP BusinessObjects BI Platform Central Management Console Promotion Management Application | Server Side Request Forgery (SSRF) | 4.1(Medium) |
| CVE-2025-42971 | SAPCAR | Memory Corruption | 4.0 (Medium) |
| CVE-2025-42978 | SAP NetWeaver Application Server Java | Insufficiently Secure Hostname Verification for Outbound TLS Connections | 3.5 (Low) |
| CVE-2025-42954 | SAP NetWeaver Business Warehouse (CCAW application) | Denial of Service (DoS) | 2.7 (Low) |
Immediate Patching Required
SAP has emphasized the critical importance of applying these security patches immediately, particularly given the severity of the identified vulnerabilities.
The company strongly recommends that customers visit the Support Portal and prioritize patch implementation to protect their SAP landscape from potential security breaches.
The broad scope of affected products, ranging from SAP_BASIS components to specialized applications like Business Objects Business Intelligence Platform, underscores the importance of comprehensive patch management strategies.
The updates address fundamental security concerns, including authentication bypasses, authorization failures, and injection vulnerabilities that could potentially compromise entire SAP environments.
Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free
