Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN308 _____________________________________________________________________ DATE : 14/05/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running SAP products. ===================================================================== https://support.sap.com/en/my-support/knowledge-base/security-notes-news/may-2025.html _____________________________________________________________________ SAP Security Patch Day - May 2025 This post shares the information on Security Notes that remediate vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on priority to protect their SAP landscape. On 13th of May 2025, SAP Security Patch Day saw the release of 16 new Security Notes. Further, there were 2 updates to previously released Security Notes. Note# Title Priority CVSS 3594142 Update to Security Note released on April 2025 Patch Day: [CVE-2025-31324] Missing Authorization check in SAP NetWeaver (Visual Composer development server) Product – SAP NetWeaver (Visual Composer development server) Version – VCFRAMEWORK 7.50 Critical 10.0 3604119 [CVE-2025-42999] Insecure Deserialization in SAP NetWeaver (Visual Composer development server) Product – SAP NetWeaver (Visual Composer development server) Version – VCFRAMEWORK 7.50 Critical 9.1 3578900 [CVE-2025-30018] Multiple vulnerabilities in SAP Supplier Relationship Management (Live Auction Cockpit) Related CVE - CVE-2025-30009, CVE-2025-30010, CVE-2025-30011, CVE-2025-30012 Product – SAP Supplier Relationship Management (Live Auction Cockpit) Version – SRM_SERVER 7.14 High 8.6 3600859 [CVE-2025-43010] Code injection vulnerability in SAP S/4HANA Cloud Private Edition or On Premise(SCM Master Data Layer (MDL)) Product- SAP S/4HANA Cloud Private Edition or on Premise (SCM Master Data Layer (MDL)) Versions – S4CORE 102, 103, 104, 105, 106, 107, 108, SCM_BASIS 700, 701, 702, 712, 713, 714 High 8.3 3586013 [CVE-2025-43000] Information Disclosure Vulnerability in SAP Business Objects Business Intelligence Platform (PMW) Product – SAP Business Objects Business Intelligence Platform (PMW) Versions – ENTERPRISE 430, 2025, 2027 High 7.9 3591978 [CVE-2025-43011] Missing Authorization Check in SAP Landscape Transformation (PCL Basis) Product – SAP Landscape Transformation (PCL Basis) Versions – DMIS 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2018_1_752, 2020, S4CORE 102, 103, 104, 105, 106, 107, 108 High 7.7 3483344 Update to Security Note released on July 2024 Patch Day: [CVE-2024-39592] Missing Authorization check in SAP PDCE Product – SAP PDCE Versions – S4CORE 102, 103, S4COREOP 104, 105, 106, 107, 108 High 7.7 3577300 [CVE-2025-42997] Information Disclosure vulnerability in SAP Gateway Client Product- SAP Gateway Client Versions – SAP_GWFND 752, 753, 754, 755, 756, 757, 758 Medium 6.6 3596033 [CVE-2025-43003] Information Disclosure vulnerability in SAP S/4HANA (Private Cloud & On-Premise) Product - SAP S/4HANA (Private Cloud & On-Premise) Versions - S4CRM 204, 205, 206, S4CEXT 107, 108, BBPCRM 702, 712, 713, 714 Medium 6.4 2491817 [CVE-2025-43009] Missing Authorization check in SAP Service Parts Management (SPM) Product - SAP Service Parts Management (SPM) Versions - SAP_APPL 600, 602, 603, 604, 605, 606, 616, 617, 618, SAPSCORE 111, S4CORE 100, 101, 102 Medium 6.3 2719724 [CVE-2025-43007] Missing Authorization check in SAP Service Parts Management (SPM) Product - SAP Service Parts Management (SPM) Versions - SAP_APPL 617, 618, SAPSCORE 116, S4CORE 100, 101, 102, 103 Medium 6.3 3577287 [CVE-2025-31329] Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform Product - SAP NetWeaver Application Server ABAP and ABAP Platform Versions - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758 Medium 6.2 3588455 [CVE-2025-43006] Cross-Site Scripting (XSS) vulnerability in SAP Supplier Relationship Management (Master Data Management Catalog) Product – SAP Supplier Relationship Management (Master Data Management Catalog) Version – SRM_MDM_CAT 7.52 Medium 6.1 3585992 [CVE-2025-43008] Missing Authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal Product – SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal Versions – S4HCMCPT 100, 101, SAP_HRCPT 600, 604, 608 Medium 5.8 3571096 [CVE-2025-43004] Security Misconfiguration Vulnerability in SAP Digital Manufacturing (Production Operator Dashboard) Product - SAP Digital Manufacturing (Production Operator Dashboard) Version – CTNR-DME-PODFOUNDATION-MS 1.0 Medium 5.3 3558755 [CVE-2025-26662] Cross-Site Scripting (XSS) vulnerability in the SAP Data Services Management Console Product – SAP Data Services Management Console Version – SBOP DS JOB SERVER 4.3 Medium 4.4 3227940 [CVE-2025-43002] Missing Authorization check in SAP S4/HANA (OData meta-data property) Product - SAP S4/HANA (OData meta-data property) Versions - S4CORE 102, 103, 104, 105, 106 Medium 4.3 3574520 [CVE-2025-43005] Information Disclosure vulnerability in SAP GUI for Windows Product- SAP GUI for Windows Version – BC-FES-GUI 8.00 Medium 4.3 To know more about the security researchers and research companies who have contributed for security patches of this month, visit here. SAP is committed to delivering trustworthy products and cloud services. Secure configuration is essential to ensuring secure operation and data integrity. We have therefore documented security recommendations that are consolidated in this document to help you configure the best security for your SAP portfolio. Archived blogs from previous years are available here. If you have any comments or feedback about this post, you can write to secure@sap.com. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================