SAP Security Notes Summary – February 2025

Traditionally once a month I’ll publish a review of all SAP security notes and news that were released in a given month. SAP Security Notes contain SAP’s expert advice regarding important action items and patches to ensure the security of your systems.

SAP ComponentNumberTitleCVSS Score Released On
PM-FIO-WCM3475427[CVE-2024-41736] Information Disclosure vulnerability in SAP Permit to Work4,326.02.2025
IS-A-JIT3347991[CVE-2025-26655] Missing Authorization check in SAP JIT(Outbound)3,125.02.2025
BC-UPG-ADDON3553753[CVE-2025-24872] Missing Authorization check in SAP ABAP Platform (ABAP Build Framework)4,311.02.2025
OPU-GW-COR3426825[CVE-2025-23191] Cache Poisoning through header manipulation vulnerability in SAP Fiori for SAP ERP3,111.02.2025
BI-BIP-AUT3525794[CVE-2025-0064] Improper Authorization in SAP BusinessObjects Business Intelligence platform (Central Management Console)8,711.02.2025
EP-PDK-HBJ3526203[CVE-2025-0054] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server Java5,411.02.2025
CEC-SCC-COM-SRC-SER3540273[CVE-2024-45216] Multiple vulnerabilities in Apache Solr within SAP Commerce Cloud5,511.02.2025
PA-FIO-OVT3532025[CVE-2025-25241] Missing Authorization check in SAP Fiori Apps Reference Library (My Overtime Requests)5,411.02.2025
BC-JAS-SEC-UME3417627[CVE-2024-22126] Cross Site Scripting vulnerability in NetWeaver AS Java (User Admin Application)8,811.02.2025
CEC-SCC-CDM-BO-FRW3555364[CVE-2025-24875] SameSite Defense in Depth not applied for some cookies in SAP Commerce6,811.02.2025
BC-WD-JAV3550027[CVE-2025-24869] Information Disclosure vulnerability in SAP NetWeaver Application Server Java4,311.02.2025
SV-SMG-TWB3547581[CVE-2025-23190] Missing Authorization check in SAP NetWeaver and ABAP platform (ST-PI)4,311.02.2025
SV-SMG-SDD3546470[CVE-2025-23187] Missing Authorization Check in SAP NetWeaver and ABAP Platform (SDCCN)5,311.02.2025
SRM-CAT-MDM3567551[CVE-2025-25243] Path traversal vulnerability in SAP Supplier Relationship Management (Master Data Management Catalog)8,611.02.2025
CA-EPC3567172[CVE-2024-38819] Multiple vulnerabilities in SAP Enterprise Project Connection7,511.02.2025
BI-BIP-INV3445708[CVE-2025-24867] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform (BI Launchpad)6,111.02.2025
BC-XS-SEC3563929[CVE-2025-24868] Open Redirect Vulnerability in SAP HANA extended application services, advanced model (User Account and Authentication Services)7,111.02.2025
BC-FES-GUI3562336[CVE-2025-24870] Insecure Key & Secret Management vulnerability in SAP GUI for Windows6,011.02.2025
BC-BMT-WFM3561264[CVE-2025-23193] Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP5,311.02.2025
CEC-SCC-CDM-BO-FRW3559510[CVE-2025-24874] Missing Defense in Depth Against Clickjacking in SAP Commerce (Backoffice)6,811.02.2025
BC-JAS-DPL3287784[CVE-2023-24527] Improper Access Control in SAP NetWeaver AS Java for Deploy Service5,311.02.2025
BC-JAS-SEC-UME3557138Update 1 to Security Note 3417627 – [CVE-2024-22126] Cross Site Scripting vulnerability in NetWeaver AS Java (User Admin Application)6,111.02.2025

*The characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.

Copyright © 2025. SAPBasisWorld.com Privacy Policy