SAP Security Notes Review: August 2025

[CVE-2025-27429] Code Injection Vulnerability in SAP S/4HANA (Private Cloud or On-Premise) (SAP Note 3581961) and [CVE-2025-42957] Code Injection Vulnerability in SAP S/4HANA (Private Cloud or On-Premise) (SAP Note 3627998)

SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorisation checks. This vulnerability effectively functions as a backdoor, creating the risk of complete system compromise and undermining the confidentiality, integrity, and availability of the system.

[CVE-2025-42950] Code Injection Vulnerability in SAP Landscape Transformation (Analysis Platform) (SAP Note 3633838)

SAP Landscape Transformation (SLT) allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorisation checks. This vulnerability effectively functions as a backdoor, creating the risk of complete system compromise and undermining the confidentiality, integrity, and availability of the system.

[CVE-2025-42976] Multiple Vulnerabilities in SAP NetWeaver Application Server ABAP (BIC Document) (SAP Note 3611184)

This Security note addresses multiple vulnerabilities in SAP NetWeaver Application Server ABAP (BIC Document). The vulnerability details, along with their relevant CVE and CVSS information, can be found below:

Memory Corruption [CVE-2025-42976]: SAP NetWeaver Application Server ABAP (BIC Document) allows an authenticated attacker to craft a request that, when submitted to a BIC Document application, could cause a memory corruption error. On successful exploitation, this results in the crash of the target component

Reflected Cross-Site Scripting [CVE-2025-42975]: SAP NetWeaver Application Server ABAP (BIC Document) allows an unauthenticated attacker to craft a URL link which, when accessed on the BIC Document application, embeds a malicious script. When a victim clicks on this link, the script executes in the victim’s browser, allowing the attacker to access and/or modify information related to the web client without affecting availability.

[CVE-2025-42946] Directory Traversal Vulnerability in SAP S/4HANA (Bank Communication Management) (SAP Note 3614804)

Due to a directory traversal vulnerability in SAP S/4HANA (Bank Communication Management), an attacker with high privileges and access to a specific transaction and method in Bank Communication Management could gain unauthorised access to sensitive operating system files. This could allow the attacker to potentially read or delete these files, hence causing a high impact on confidentiality and a low impact on integrity.

[CVE-2025-42969] Cross-Site Scripting (XSS) Vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform (SAP Note 3596987)

SAP NetWeaver Application Server ABAP and ABAP Platform allow an unauthenticated attacker to inject a malicious script into a dynamically crafted URL. The victim, when tricked into clicking on this crafted URL, unknowingly executes the malicious payload in their browser. On successful exploitation, the attacker can access or modify sensitive information within the scope of the victim’s web browser.