SAP Security Notes Summary – April 2025

Traditionally once a month I’ll publish a review of all SAP security notes and news that were released in a given month. SAP Security Notes contain SAP’s expert advice regarding important action items and patches to ensure the security of your systems.

SAP Component	Number	Title	CVSS Score	Released On
EP-VC-INF	3594142	[CVE-2025-31324] Missing Authorization check in SAP NetWeaver (Visual Composer development server)	10,0	24.04.2025
CA-LT-ANA	3587115	[CVE-2025-31330] Code Injection Vulnerability in SAP Landscape Transformation (Analysis Platform)	9,9	22.04.2025
PA-FIO-LSO	3446649	[CVE-2025-31328] Cross-Site Request Forgery (CSRF) vulnerability in SAP S/4 HANA (Learning Solution)	4,6	22.04.2025
CA-FL-SRV	3359825	[CVE-2025-31327] OData meta-data property entity tampering in SAP Field Logistics	4,3	22.04.2025
CA-LT-ANA	3581961	[CVE-2025-27429] Code Injection Vulnerability in SAP S/4HANA (Private Cloud or On-Premise)	9,9	14.04.2025
CEC-SCC-CDM-CKP-COR	3590984	[CVE-2024-56337] Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat within SAP Commerce Cloud	8,1	08.04.2025
BI-BIP-AUT	3525794	[CVE-2025-0064] Improper Authorization in SAP BusinessObjects Business Intelligence platform	8,8	08.04.2025
BW-BCT-WEB	3571093	[CVE-2025-30013] Code Injection vulnerability in SAP ERP BW Business Content	6,7	08.04.2025
PP-PI-MD-PRV	3525971	[CVE-2025-31333] Odata meta-data tampering in SAP S4CORE entity	4,3	08.04.2025
BI-BIP-INS	3565751	[CVE-2025-31332] Insecure File permissions vulnerability in SAP BusinessObjects Business Intelligence Platform	6,6	08.04.2025
EPM-BFC-TCL-ADM-SEC	3572688	[CVE-2025-30016] Authentication Bypass Vulnerability in SAP Financial Consolidation	9,8	08.04.2025
BC-MID-RFC	3554667	[CVE-2025-23186] Mixed Dynamic RFC Destination vulnerability through Remote Function Call (RFC) in SAP NetWeaver Application Server ABAP	8,5	08.04.2025
SV-SMG-IMP	3558864	[CVE-2025-30017] Missing Authorization check in SAP Solution Manager	4,4	08.04.2025
SV-SMG-SDD	3581811	[CVE-2025-27428] Directory Traversal vulnerability in SAP NetWeaver and ABAP Platform (Service Data Collection)	7,7	08.04.2025
BC-FES-WGU	3559307	[CVE-2025-26653] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)	4,7	08.04.2025
BC-DB-DBI	3565944	[CVE-2025-30015] Memory Corruption vulnerability in SAP NetWeaver and ABAP Platform (Application Server ABAP)	4,1	08.04.2025
CA-GTF-TS-GMA	3577131	[CVE-2025-31331] Authorization Bypass vulnerability in SAP NetWeaver	4,3	08.04.2025
CEC-SCC-CLA-ENV-NWC	3543274	[CVE-2025-26654] Potential information disclosure vulnerability in SAP Commerce Cloud (Public Cloud)	6,8	08.04.2025
EP-KM-CM	3568307	[CVE-2025-26657] Information Disclosure vulnerability in SAP KMC WPC	5,3	08.04.2025
FS-CYT	2927164	[CVE-2025-30014] Directory Traversal vulnerability in SAP Capital Yield Tax Management	7,7	08.04.2025
BC-SEC-VIR	3568778	[CVE-2025-27437] Missing Authorization check in SAP NetWeaver Application Server ABAP (Virus Scan Interface)	4,3	08.04.2025
CEC-SCC-COM-PRO-CUC	3539465	[CVE-2025-27435] Information Disclosure Vulnerability in SAP Commerce Cloud	4,2	08.04.2025

*The characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.