On Tuesday, SAP rolled out its April 2025 Security Patch Day updates, delivering 18 new and two revised security notes.
Among these, three address critical vulnerabilities that demand immediate attention.
The most severe of these flaws—CVE-2025-27429 and CVE-2025-31330—carry a CVSS score of 9.9. These are code injection vulnerabilities found in SAP S/4HANA (Private Cloud) and Landscape Transformation (Analysis Platform). Despite being listed as separate CVEs, enterprise software security firm Onapsis clarified that both refer to the same underlying issue. SAP’s patch disables a remote-enabled function module in both products, which if left unpatched, could be exploited to execute malicious ABAP code. Exploitation only requires the S_RFC authorization on the module or its function group.
The third critical vulnerability, CVE-2025-30016, scored 9.8 on the CVSS scale. It’s an authentication bypass flaw in SAP’s Financial Consolidation product. This bug could let an unauthenticated attacker impersonate an administrator, potentially granting full system access.
In addition to these, SAP addressed five high-severity vulnerabilities. One of them—an updated note—fixes an improper authorization issue in the BusinessObjects Business Intelligence platform. Other high-risk bugs were patched in SAP NetWeaver Application Server ABAP, Commerce Cloud, and Capital Yield Tax Management. Notably, the Commerce Cloud flaw, a race condition in Apache Tomcat, is only exploitable under three specific conditions, none of which are enabled by default.
SAP also fixed 10 medium-severity and one low-severity vulnerabilities across various products, including Commerce Cloud, ERP BW Business Content, BusinessObjects, KMC WPC, NetWeaver, Solution Manager, S4CORE entity, and S/4HANA.
While SAP hasn’t reported any of these flaws being exploited in the wild, organizations are strongly encouraged to apply the patches promptly to safeguard their systems.
Found this article interesting? Follow us on X(Twitter) and FaceBook to read more exclusive content we post.
