SAP releases January 2025 patch, fixes at least two critical issues
Take action: If you are running SAP products, your first priority for patching are SAP NetWeaver ABAP Server and ABAP Platform, then SAP Business Objects. Only then the rest. Review the advisory, and plan for a regular patch cycle.
Learn More
On January 14, 2025, SAP has released security update addressing 14 newly discovered vulnerabilities across multiple products in their portfolio. Among these, two vulnerabilities were classified as critical, three as high-risk, and the remainder ranging from medium to low severity.
Critical Vulnerabilities:
- CVE-2025-0070 (CVSS score 9.9) - An improper authentication vulnerability in SAP NetWeaver ABAP Server and ABAP Platform that could allow logged-in users to gain unauthorized system access through insufficient authentication checks, potentially leading to privilege escalation.
- CVE-2025-0066 (CVSS score 9.9) - An information disclosure vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework) that could enable unauthorized access to sensitive information due to weak access controls.
High-Risk Vulnerabilities:
- CVE-2025-0063 (CVSS score 8.8) - A SQL injection vulnerability affecting SAP NetWeaver AS for ABAP and ABAP Platform
- CVE-2025-0061 and CVE-2025-0060 (CVSS scores 8.7 and 6.5) - Multiple vulnerabilities in SAP BusinessObjects Business Intelligence Platform
- CVE-2025-0069 (CVSS score 7.8) - A DLL hijacking vulnerability in SAPSetup
The security update also addressed several medium-risk vulnerabilities, including information disclosure issues in SAP Business Workflow, SAP GUI for Windows and Java, and various authorization check problems in NetWeaver Application Server components. The lowest severity issue involved buffer overflow vulnerabilities in SAP BusinessObjects Business Intelligence Platform's Crystal Reports for Enterprise component.
The patches cover a wide range of SAP products and versions, including:
- SAP NetWeaver Application Server for ABAP and ABAP Platform (multiple versions from 7.22 to 9.14)
- SAP BusinessObjects Business Intelligence Platform (versions 420, 430, and 2025)
- SAP GUI for Windows and Java
- SAP Business Workflow and SAP Flexible Workflow
SAP strongly recommends that customers visit the Support Portal and apply these patches promptly to protect their SAP landscape. This release follows December's security update, which addressed nine vulnerabilities and included updates to four previous security reports.
