Applexus Technologies Logo
Absoft, now part of Applexus
Learn more about Applexus
Click here to learn more about Applexus
Security Notes Icon

SAP Security Notes Review: May 2025

SAP Support
SAP Technical Services
SAP Managed Service
Blog Post
SAP Application Support
SAP Notes

Share This Post

Overview

SAP’s security patch day for May 2025 has seen the release of 18 OSS SAP security notes. Two notes have been classified as critical, five as high, and eleven as medium based on the CVSS v3.0 Rating.

Security Notes by CVSS v3 Base Scores May 25

Two notes have been released for:

  • SAP NetWeaver
  • SAP Service Parts Management
  • SAP Supplier Relationship Management

Single notes have been released for:

  • SAP S/4HANA Cloud Private Edition or on Premise
  • SAP Business Objects Business Intelligence Platform
  • SAP Landscape Transformation
  • SAP PDCE
  • SAP Gateway Client
  • SAP S/4HANA (Private Cloud & On-Premise)
  • SAP NetWeaver Application Server ABAP and ABAP Platform
  • SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal
  • SAP Digital Manufacturing
  • SAP Data Services Management Console
  • SAP S4/HANA (OData meta-data property)
  • SAP GUI for Windows
Security Notes by Product Category May 25

Vulnerabilities: May 2025 Highlights

[CVE-2024-39592] Missing Authorisation check in SAP PDCE (SAP Note 3483344)

Elements of PDCE do not perform necessary authorisation checks for an authenticated user, resulting in the escalation of privileges.

This allows an attacker to read sensitive information, causing high impact on the confidentiality of the application.

[CVE-2025-31329] Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform (SAP Note 3577287)

SAP NetWeaver is vulnerable to an Information Disclosure vulnerability caused by the injection of malicious instructions into user configuration settings. An attacker with administrative privileges can craft these instructions so that when accessed by the victim, sensitive information such as user credentials is exposed. These credentials may then be used to gain unauthorised access to local or adjacent systems. This results in high impact to Confidentiality, with no significant effect on Integrity or Availability.

About this Review

On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.

There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.

Search by a topic below...

Cloud Services 1
Cloud Services
Cloud Services
Cloud Services
Cloud Services
Cloud Services
Cloud Services
Cloud Services
Cloud Services

Read Our Latest Articles

Didn’t find what you are looking for? Send us your questions.

We are here to help.
Contact Us
Colleagues at work at Absoft SAP Consultancy

Company registration number: SC129581

Registered office: Davidson House, Campus 1, Aberdeen Innovation Park, Bridge of Don, Aberdeen, AB22 8GT

Contact
Connect
SAP Certified PCOE logo
Living Wage Employer

Is Your Business Ready to Embark on an S/4HANA Journey?

Jump Start Your Implementation with

Begin Your CeleRITE Assessment Today
celerite assessments2 (1)