Summary: SAP has issued a round of security updates addressing 21 new vulnerabilities, including high-severity issues such as XSS in SAP Commerce and a missing authorization check in SAP NetWeaver. Notably, vulnerabilities could allow unauthorized access and potentially lead to remote code execution. Customers are urged to apply the updates to secure their systems promptly.
Affected: SAP Commerce, SAP NetWeaver, SAP Business One, SAP Business Warehouse, SAP Web Dispatcher
Keypoints :
- 21 new vulnerabilities have been identified in SAP products, with 3 updates to previous Security Notes.
- High-severity vulnerabilities include an XSS issue in SAP Commerce (CVE-2025-27434) and a missing authorization check in SAP NetWeaver (CVE-2025-26661).
- Multiple vulnerabilities in Apache Tomcat within SAP Commerce Cloud may expose organizations to remote code execution risks.
- Earlier vulnerabilities such as an authentication bypass in SAP Approuter have also been addressed (CVE-2025-24876).
- Several medium and low-severity vulnerabilities, including issues in SAP Business One and SAP Web Dispatcher, have been patched.
- Customers are strongly advised to implement the latest security updates immediately.