SAP has released multiple security updates, including 16 new security notes and critical patches addressing vulnerabilities in NetWeaver and other products. These updates are crucial to protect against actively exploited zero-day vulnerabilities and other high-severity flaws.
Affected: SAP, NetWeaver, S/4HANA, Landscape Transformation, Supplier Relationship Management, Business Objects Business Intelligence Platform, PDCE
Keypoints
- SAP issued 16 new security notes and two updates during its May 2025 Security Patch Day to address critical vulnerabilities.
- Two of the notes fix critical and actively exploited flaws in NetWeaverβs Visual Composer, including CVE-2025-31324 with a CVSS score of 10/10.
- Attackers have exploited CVE-2025-31324 since January, deploying webshells to compromise NetWeaver servers and conduct ongoing malicious activities.
- The security updates also resolve a critical insecure deserialization bug in NetWeaver (CVE-2025-42999) with a CVSS score of 9.1.
- Additional patches address security issues in S/4HANA, Landscape Transformation, and other SAP products, including code injection vulnerabilities.
- SAP urges customers to apply these security notes immediately to prevent exploitation, especially for the vulnerable NetWeaver systems.
- There are 11 new security notes targeting medium-severity vulnerabilities across various SAP products.
Read More: https://www.securityweek.com/sap-patches-another-critical-netweaver-vulnerability/