SAP April 2025 Patch day releases patches for multiple flaws, three critical
Take action: If you are running SAP S/4HANA in Private Cloud, SAP Landscape Transformation or SAP Financial Consolidation, be aware that you are exposed to critical flaws. Review the advisory in detail, check the level of isolation of your systems from external attackers and plan a quick patch. Patching a SAP system is not easy, so make sure all mitigation controls are active. Then proceed to a planned patch. Don't ignore these, all mitigating measures will fail.
Learn More
SAP released its April 2025 Security Patch Day updates on April 8th, addressing a significant number of security vulnerabilities across multiple SAP products. The update includes 18 new Security Notes and 2 updates to previously released Security Notes.
Three critical vulnerabilities were patched, all with extremely high CVSS scores:
- CVE-2025-27429 (CVSS score 9.9) - Code Injection Vulnerability in SAP S/4HANA (Private Cloud) affecting S4CORE versions 102 through 108.
- CVE-2025-31330 (CVSS score 9.9) - Code Injection Vulnerability in SAP Landscape Transformation (Analysis Platform), affecting DMIS versions 2011_1_700, 2011_1_710, 2011_1_730, and 2011_1_731.
- CVE-2025-30016 (CVSS score 9.8) - Authentication Bypass Vulnerability in SAP Financial Consolidation affecting FINANCE version 1010.
Multiple high-severity vulnerabilities were also addressed:
- CVE-2025-0064 (CVSS score 8.8) - Improper Authorization in SAP BusinessObjects Business Intelligence platform - this is an update to a Security Note released in February 2025.
- CVE-2025-23186 (CVSS score 8.5) - Mixed Dynamic RFC Destination vulnerability in SAP NetWeaver Application Server ABAP
- CVE-2024-56337 (CVSS score 8.1) - Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat within SAP Commerce Cloud .
- CVE-2025-30014 (CVSS score 7.7) - Directory Traversal vulnerability in SAP Capital Yield Tax Management.
- CVE-2025-27428 (CVSS score 7.7) - Directory Traversal vulnerability in SAP NetWeaver and ABAP Platform (Service Data Collection).
The patch also addresses multiple medium-severity vulnerabilities affecting various SAP products, including information disclosure flaws, code injection vulnerabilities, insecure file permissions, cross-site scripting (XSS) issues, and missing authorization checks. These vulnerabilities have CVSS scores ranging from 4.1 to 6.8.
A low-priority update was also released for a Server Side Request Forgery (SSRF) vulnerability in SAP CRM and SAP S/4 HANA (Interaction Center), tracked as CVE-2025-27430 (CVSS score 3.5).
SAP strongly recommends that customers visit the Support Portal and apply these patches as soon as possible.
