What did SAP release in August 2025?

SAP released the August 2025 security updates addressing vulnerabilities across its enterprise software portfolio. The updates include 15 new security notes and 4 updates to previously released patches, with at least three critical vulnerabilities.

How many vulnerabilities were addressed in SAP's August 2025 security update?

SAP addressed a total of 19 vulnerabilities: 15 new security notes and 4 updates to previously released patches. At least three of these flaws are considered critical.

What are the critical vulnerabilities in SAP's August 2025 update?

The critical vulnerabilities are CVE-2025-42957 (CVSS 9.9) affecting SAP S/4HANA, CVE-2025-42950 (CVSS 9.9) affecting SAP Landscape Transformation Analysis Platform, and CVE-2025-27429 (CVSS 9.9) which is an updated code injection vulnerability in SAP S/4HANA originally patched in April 2025.

What is the highest CVSS score among the SAP vulnerabilities?

The highest CVSS score is 9.9, which applies to three critical code injection vulnerabilities: CVE-2025-42957, CVE-2025-42950, and CVE-2025-27429.

Which SAP products are affected by the critical vulnerabilities?

The critical vulnerabilities affect SAP S/4HANA (Private Cloud or On-Premise) versions S4CORE 102, 103, 104, 105, 106, 107, 108, and SAP Landscape Transformation (Analysis Platform) versions DMIS 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020.

What should organizations do about these SAP vulnerabilities?

Organizations using SAP products should review the advisory and plan a patch cycle. Priority should be given to patching the critical flaws in SAP S/4HANA and SAP Landscape Transformation (Analysis Platform).

Which SAP vulnerabilities should be prioritized for patching?

Priority patching should focus on the critical flaws in SAP S/4HANA and SAP Landscape Transformation (Analysis Platform), specifically CVE-2025-42957, CVE-2025-42950, and CVE-2025-27429, all with CVSS scores of 9.9.

What other notable vulnerabilities were included in the SAP August 2025 update?

Other notable vulnerabilities include CVE-2025-42951 (CVSS 8.8) - Broken Authorization in SAP Business One, CVE-2025-42976 (CVSS 8.1) - Multiple vulnerabilities in SAP NetWeaver Application Server ABAP, and CVE-2025-42946 (CVSS 6.9) - Directory Traversal vulnerability in SAP S/4HANA Bank Communication Management.

Are any of the August 2025 SAP vulnerabilities updates to previous patches?

Yes, four vulnerabilities are updates to previously released patches, including CVE-2025-27429 which was originally patched in April 2025, CVE-2025-0059, CVE-2025-23194, and CVE-2025-31331.

Advisory

SAP releases August 2025 security updates, patches 19 flaws, at least three critical

Q: What type of vulnerability are the critical SAP flaws?

The critical vulnerabilities are code injection flaws that exist in a remote-enabled SAP function module and allow attackers to inject arbitrary code into the system. These are the same security flaw affecting different SAP products but have been assigned separate CVE identifiers.

published: Aug. 12, 2025

Take action: If you're running SAP products, review the advisory in detail for any vulnerable products you need to patch. High priority are SAP S/4HANA or SAP Landscape Transformation systems, that have patches for critical flaws. And hackers love SAP platforms, because everyone is too scared to patch them.

Learn More

SAP has released the August 2025 security updates addressing vulnerabilities across its enterprise software portfolio. The updates have 15 new security notes, 4 updates to previously released patches. At least three of the flaws are critical.

The critical vulnerabilities are the same security flaw affecting different SAP products but have been assigned separate CVE identifiers. The vulnerability exists in a remote-enabled SAP function module and allows attackers to inject arbitrary code into the system.

Vulnerabilities summary

CVE-2025-42957 (CVSS score 9.9) - Code Injection vulnerability in SAP S/4HANA (Private Cloud or On-Premise) affecting versions S4CORE 102, 103, 104, 105, 106, 107, 108
CVE-2025-42950 (CVSS score 9.9) - Code Injection vulnerability in SAP Landscape Transformation (Analysis Platform) affecting versions DMIS 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020
CVE-2025-27429 (CVSS score 9.9) - Updated Code Injection vulnerability in SAP S/4HANA (Private Cloud or On-Premise) affecting versions S4CORE 102, 103, 104, 105, 106, 107, 108 (originally patched in April 2025)
CVE-2025-42951 (CVSS score 8.8) - Broken Authorization in SAP Business One (SLD) affecting versions B1_ON_HANA 10.0, SAP-M-BO 10.0
CVE-2025-42976 (CVSS score 8.1) - Multiple vulnerabilities in SAP NetWeaver Application Server ABAP (BIC Document) affecting multiple versions including S4COREOP 104-108 and various SEM-BW versions
CVE-2025-42946 (CVSS score 6.9) - Directory Traversal vulnerability in SAP S/4HANA (Bank Communication Management)
CVE-2025-42945 (CVSS score 6.1) - HTML Injection vulnerability in SAP NetWeaver Application Server ABAP
CVE-2025-42942 (CVSS score 6.1) - Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server for ABAP
CVE-2025-42948 (CVSS score 6.1) - Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver ABAP Platform
CVE-2025-0059 (CVSS score 6.0) - Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML) - Updated
CVE-2025-42936 (CVSS score 5.4) - Missing Authorization check in SAP NetWeaver Application Server for ABAP
CVE-2025-23194 (CVSS score 5.3) - Missing Authentication check in SAP NetWeaver Enterprise Portal (OBN component) - Updated
CVE-2025-42949 (CVSS score 4.9) - Missing Authorization check in ABAP Platform
CVE-2025-42943 (CVSS score 4.5) - Information Disclosure in SAP GUI for Windows
CVE-2025-42934 (CVSS score 4.3) - CRLF Injection vulnerability in SAP S/4HANA (Supplier invoice)
CVE-2025-31331 (CVSS score 4.3) - Authorization Bypass vulnerability in SAP NetWeaver - Updated
CVE-2025-42935 (CVSS score 4.1) - Information Disclosure vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Manager)
CVE-2025-42955 (CVSS score 3.5) - Missing authorization check in SAP Cloud Connector
CVE-2025-42941 (CVSS score 3.5) - Reverse Tabnabbing vulnerability in SAP Fiori (Launchpad)

Organizations using SAP products should review the advisory and plan a patch cycle. Priority patching are the critical flaws in SAP S/4HANA and SAP Landscape Transformation (Analysis Platform).

SAP releases August 2025 security updates, patches 19 flaws, at least three critical

Read More
Critical buffer overflow flaw reported in Net-SNMP
Fortinet warns of active exploitation of 2FA Bypass …
Critical security vulnerabilities discovered in Acronis Cyber Protect …
Cisco reports products vulnerable to "blastRadius" RADIUS protocol …
CISA warns of actively exploited critical flaws in …