SAP has released its monthly Security Patch Day update for April 2025, addressing 18 new security vulnerabilities and providing updates to 2 previously released Security Notes.
The patch collection, released on April 8, includes three critical vulnerabilities with Common Vulnerability Scoring System (CVSS) scores ranging from 9.8 to 9.9, underscoring the importance of immediate implementation for organizations running affected SAP systems.
Critical Vulnerabilities Addressed
The most severe vulnerabilities in this month’s release include code injection flaws in SAP S/4HANA Private Cloud (CVE-2025-27429) and SAP Landscape Transformation Analysis Platform (CVE-2025-31330), both carrying maximum CVSS scores of 9.9.
These vulnerabilities could potentially allow attackers to execute arbitrary code with system privileges.
Additionally, SAP addressed a critical authentication bypass vulnerability (CVE-2025-30016) in SAP Financial Consolidation with a CVSS score of 9.8, which could enable unauthorized access to sensitive financial systems.
“The critical vulnerabilities identified this month pose significant risks to enterprise environments if left unpatched,” said an SAP security spokesperson.
“Immediate patching is strongly recommended to mitigate potential exploitation.”
High-Risk Vulnerabilities
The April update also remediated five high-severity vulnerabilities with CVSS scores between 7.7 and 8.8, including:
- An improper authorization issue in the SAP BusinessObjects Business Intelligence platform (CVE-2025-0064) with CVSS 8.8
- A Mixed Dynamic RFC Destination vulnerability through Remote Function Call in SAP NetWeaver Application Server ABAP (CVE-2025-23186) with CVSS 8.5
- Time-of-check Time-of-use race condition in Apache Tomcat within SAP Commerce Cloud (CVE-2024-56337) with CVSS 8.1
- Directory Traversal vulnerabilities in SAP Capital Yield Tax Management (CVE-2025-30014) and SAP NetWeaver and ABAP Platform (CVE-2025-27428), both with CVSS 7.7
Medium and Low-Risk Issues
The remaining security notes address 10 medium-severity vulnerabilities and one low-severity vulnerability.
These include cross-site scripting (XSS), information disclosure, missing authorization checks, and memory corruption issues affecting various SAP products, including SAP Commerce Cloud, SAP NetWeaver, and SAP Solution Manager.
Implementation Recommendations
SAP strongly advises customers to implement the security patches without delay, prioritizing the critical and high-severity vulnerabilities. Organizations should follow a risk-based patching approach, beginning with:
- Apply note #3581961 for SAP S/4HANA Private Cloud environments (versions S4CORE 102-108)
- Implement note #3587115 for SAP Landscape Transformation Analysis Platform (DMIS versions 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731)
- Address note #3572688 for SAP Financial Consolidation (FINANCE 1010)
Security administrators should review the full list of vulnerabilities in the SAP Support Portal and create a comprehensive remediation plan for their SAP landscape.
“Secure configuration is essential to ensuring secure operation and data integrity,” states SAP in their release notes.
The company has documented comprehensive security recommendations to help customers configure optimal security for their SAP portfolio.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1)%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The patch collection, released on April 8, includes three critical vulnerabilities with Common Vulnerability Scoring System (CVSS)){kind=link}