Summary: SAP has released 18 new and two updated security notes addressing critical vulnerabilities as part of its April 2025 Security Patch Day, including severe flaws in S/4HANA and Financial Consolidation. Two code injection bugs and an authentication bypass issue can lead to security breaches if left unpatched. Organizations are urged to apply these patches promptly to mitigate potential risks.
Affected: SAP Systems (S/4HANA, Financial Consolidation, BusinessObjects, NetWeaver, etc.)
Keypoints :
- Two critical vulnerabilities in S/4HANA and Landscape Transformation (CVE-2025-27429, CVE-2025-31330) are code injection flaws with a CVSS score of 9.9.
- An authentication bypass vulnerability in Financial Consolidation (CVE-2025-30016) could allow unprivileged users to impersonate admin users, scored at 9.8.
- Five high-severity vulnerabilities were also addressed in various SAP products, including BusinessObjects and NetWeaver, among others.
- Organizations are advised to apply the patches urgently, despite no current indications of exploitation in the wild.
Source: https://www.securityweek.com/sap-patches-critical-code-injection-vulnerabilities/