SAP Security Notes Summary – May 2025
Traditionally, once a month I’ll publish a review of all SAP security notes and news that were released in a given month. SAP Security Notes contain SAP’s expert advice regarding important action items and patches to ensure the security of your systems.
| SAP Component | Number | Title | CVSS Score | Released On |
|---|---|---|---|---|
| EP-VC-INF | 3604119 | [CVE-2025-42999] Insecure Deserialization in SAP NetWeaver (Visual Composer development server) | 9,1 | 14.05.2025 |
| EP-VC-INF | 3594142 | [CVE-2025-31324] Missing Authorization check in SAP NetWeaver (Visual Composer development server) | 10,0 | 13.05.2025 |
| FIN-BA | 3483344 | [CVE-2024-39592] Missing Authorization check in SAP PDCE | 7,7 | 13.05.2025 |
| CA-LT-PCL | 3591978 | [CVE-2025-43011] Missing Authorization Check in SAP Landscape Transformation (PCL Basis) | 7,7 | 13.05.2025 |
| SRM-LA | 3578900 | [CVE-2025-30018] Multiple vulnerabilities in SAP Supplier Relationship Management (Live Auction Cockpit) | 8,6 | 13.05.2025 |
| SRM-CAT-MDM | 3588455 | [CVE-2025-43006] Cross-Site Scripting (XSS) vulnerability in SAP Supplier Relationship Management (Master Data Management Catalog) | 6,1 | 13.05.2025 |
| EIM-DS-SVR | 3558755 | [CVE-2025-26662] Cross-Site Scripting (XSS) vulnerability in the SAP Data Services Management Console | 4,4 | 13.05.2025 |
| PY-PT | 3585992 | [CVE-2025-43008] Missing Authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal | 5,8 | 13.05.2025 |
| SCM-BAS-MDL | 3600859 | [CVE-2025-43010] Code injection vulnerability in SAP S/4HANA Cloud Private Edition or On Premise(SCM Master Data Layer (MDL)) | 8,3 | 13.05.2025 |
| BC-FES-GXT | 3574520 | [CVE-2025-43005] Information Disclosure vulnerability in SAP GUI for Windows | 4,3 | 13.05.2025 |
| OPU-GW-V4 | 3577300 | [CVE-2025-42997] Information Disclosure vulnerability in SAP Gateway Client | 6,6 | 13.05.2025 |
| MFG-DM | 3571096 | [CVE-2025-43004] Security Misconfiguration Vulnerability in SAP Digital Manufacturing (Production Operator Dashboard) | 5,3 | 13.05.2025 |
| CRM-MD-BP | 3596033 | [CVE-2025-43003] Information Disclosure vulnerability in SAP S/4HANA (Private Cloud & On-Premise) | 6,4 | 13.05.2025 |
| LO-SPM-X | 2719724 | [CVE-2025-43007] Missing Authorization check in SAP Service Parts Management (SPM) | 6,3 | 13.05.2025 |
| LO-SPM-OUT | 2491817 | [CVE-2025-43009] Missing Authorization check in SAP Service Parts Management (SPM) | 6,3 | 13.05.2025 |
| MM-PUR-SVC-SES | 3227940 | [CVE-2025-43002] Missing Authorization check in SAP S4/HANA (OData meta-data property) | 4,3 | 13.05.2025 |
| BC-MID-RFC | 3577287 | [CVE-2025-31329] Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform | 6,2 | 13.05.2025 |
| BI-BIP-LCM | 3586013 | [CVE-2025-43000] Information Disclosure Vulnerability in SAP Business Objects Business Intelligence Platform (PMW) | 7,9 | 13.05.2025 |
*The characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.