Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN424 _____________________________________________________________________ DATE : 08/07/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running SAP products. ===================================================================== https://support.sap.com/en/my-support/knowledge-base/security-notes-news/july-2025.html _____________________________________________________________________ SAP Security Patch Day - July 2025 This post shares information on Security Notes that remediate vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on priority to protect their SAP landscape. On 8th of July 2025, SAP Security Patch Day saw the release of 27 new Security Notes. Further, there were 4 updates to previously released Security Notes. Note# Title Priority CVSS 3578900 Update to Security Note released on May 2025 Patch Day: [CVE-2025-30012] Multiple vulnerabilities in SAP Supplier Relationship Management (Live Auction Cockpit) Related CVE - CVE-2025-30009, CVE-2025-30010, CVE-2025-30011, CVE-2025-30018(opens in new tab) Product – SAP Supplier Relationship Management (Live Auction Cockpit) Version – SRM_SERVER 7.14 Critical 10.0 3618955 [CVE-2025-42967] Code Injection vulnerability in SAP S/4HANA and SAP SCM (Characteristic Propagation) Product – SAP S/4HANA and SAP SCM (Characteristic Propagation) Versions – SCMAPO 713, 714, S4CORE 102, 103, 104, S4COREOP 105, 106, 107, 108, SCM 700, 701, 702, 712 Critical 9.9 3620498 [CVE-2025-42980] Insecure Deserialization in SAP NetWeaver Enterprise Portal Federated Portal Network Product – SAP NetWeaver Enterprise Portal Federated Portal Network Version – EP-RUNTIME 7.50 Critical 9.1 3621236 [CVE-2025-42964] Insecure Deserialization in SAP NetWeaver Enterprise Portal Administration Product – SAP NetWeaver Enterprise Portal Administration Version – EP-RUNTIME 7.50 Critical 9.1 3610892 [CVE-2025-42966] Insecure Deserialization vulnerability in SAP NetWeaver (XML Data Archiving Service) Product – SAP NetWeaver (XML Data Archiving Service) Versions – J2EE-APPS 7.50 Critical 9.1 3621771 [CVE-2025-42963] Insecure Deserialization in SAP NetWeaver Application Server for Java (Log Viewer ) Product – SAP NetWeaver Application Server for Java (Log Viewer ) Version – LMNWABASICAPPS 7.50 Critical 9.1 3600846 [CVE-2025-42959] Missing Authentication check after implementation of SAP Security Note 3007182 and 3537476 Product – SAP NetWeaver ABAP Server and ABAP Platform Versions – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 914, SAP_BASIS 915 High 8.1 3623440 [CVE-2025-42953] Missing Authorization check in SAP NetWeaver Application Server for ABAP Product – SAP NetWeaver Application Server for ABAP Versions – SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816 High 8.1 3565279 [CVE-2024-53677] Insecure File Operations vulnerability in SAP Business Objects Business Intelligence Platform (CMC) Product- SAP Business Objects Business Intelligence Platform (CMC) Version – ENTERPRISE 430, 2025 High 8.0 3623255 [CVE-2025-42952] Missing Authorization check in SAP Business Warehouse and SAP Plug-In Basis Product – SAP Business Warehouse and SAP Plug-In Basis Versions – PI_BASIS 2006_1_700, 701, 702, 731, 740, SAP_BW 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 816 High 7.7 3610591 Update to Security Note released on June 2025 Patch Day: [CVE-2025-42977] Directory Traversal vulnerability in SAP NetWeaver Visual Composer Product – SAP NetWeaver Visual Composer Version – VCBASE 7.50 High 7.6 3595143 [CVE-2025-43001] Multiple Privilege Escalation Vulnerabilities in SAPCAR CVEs - CVE-2025-42992 Product – SAPCAR Versions – SAP_CAR 7.53, 7.22EXT Medium 6.9 3580384 Update to Security Note released on June 2025 Patch Day: [CVE-2025-42993] Missing Authorization Check in SAP S/4HANA (Enterprise Event Enablement) Product – SAP S/4HANA (Enterprise Event Enablement) Versions – SAP_GWFND 757, 758 Medium 6.7 3577300 Update to Security Note released on May 2025 Patch Day: [CVE-2025-42997] Information Disclosure vulnerability in SAP Gateway Client Product – SAP Gateway Client Versions – SAP_GWFND 752, 753, 754, 755, 756, 757, 758 Medium 6.6 3617131 [CVE-2025-42981] Multiple vulnerabilities in SAP NetWeaver Application Server ABAP CVE - CVE-2025-42956 Product – SAP NetWeaver Application Server ABAP Versions – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816 Medium 6.1 3596987 [CVE-2025-42969] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform Product- SAP NetWeaver Application Server ABAP and ABAP Platform Version – SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758 Medium 6.1 3604212 [CVE-2025-42962] Cross-Site Scripting (XSS) vulnerability in SAP Business Warehouse (Business Explorer Web 3.5 loading animation) Product - SAP Business Warehouse (Business Explorer Web 3.5 loading animation) Versions - DW4CORE 100, 200, 300, 400, 916, SAP_BW 730, 731, 740, 750, 751, 752, 753, 754, 756, 757, 758 Medium 6.1 3617380 [CVE-2025-42985] Open Redirect vulnerability in SAP BusinessObjects Content Administrator workbench Product - SAP BusinessObjects Content Administrator workbench Versions - DW4CORE 100, 200, 300, 400, SAP_BW 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 816, SAP_BW_VIRTUAL_COMP 701 Medium 6.1 3595156 [CVE-2025-42970] Directory Traversal vulnerability in SAPCAR Product - SAPCAR Versions - SAP_CAR 7.53, 7.22EXT Medium 5.8 3607513 [CVE-2025-42979] Insecure Key & Secret Management vulnerability in SAP GUI for Windows Product - SAP GUI for Windows Versions - BC-FES-GUI 8.00 Medium 5.6 3606103 [CVE-2025-42973] Cross-Site Scripting (XSS) vulnerability in SAP Data Services (DQ Report) Product – SAP Data Services (DQ Report) Version – SBOP_DS_MANAGEMENT_CONSOLE 4.3, 2025 Medium 5.4 3621037 [CVE-2025-42968] Missing Authorization check in SAP NetWeaver (RFC enabled function module) Product – SAP NetWeaver (RFC enabled function module) Versions – SAP_BW 700, 701, 702, 710, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 816, 914, 916 Medium 5.0 3610322 [CVE-2025-42961] Missing Authorization check in SAP NetWeaver Application Server for ABAP Product - SAP NetWeaver Application Server for ABAP Version – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816 Medium 4.9 3608991 [CVE-2025-42960] Missing Authorization Check in SAP Business Warehouse and SAP BW/4HANA BEx Tools Product – SAP Business Warehouse and SAP BW/4HANA BEx Tools Version – DW4CORE 100, 200, 300, 400, SAP_BW 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 816, SAP_BW_VIRTUAL_COMP 701 Medium 4.3 3626440 [CVE-2025-42986] Missing Authorization check in SAP NetWeaver and ABAP Platform Product - SAP NetWeaver and ABAP Platform Versions - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754 Medium 4.3 3610056 [CVE-2025-42974] Missing Authorization Check in SAP NetWeaver and ABAP Platform (SDCCN) Product- SAP NetWeaver and ABAP Platform (SDCCN) Version – ST-PI 2008_1_700, 2008_1_710, 740 Medium 4.3 3573199 [CVE-2025-31326] HTML Injection vulnerability in SAP BusinessObjects Business Intelligence Platform (Web Intelligence) Product- SAP BusinessObjects Business Intelligence Platform (Web Intelligence) Version – ENTERPRISE 430, 2025, 2027, ENTERPRISECLIENTTOOLS 430, 2025, 2027 Medium 4.1 3598118 [CVE-2025-42965] Server Side Request Forgery(SSRF) vulnerability in SAP BusinessObjects BI Platform Central Management Console Promotion Management Application Product- SAP BusinessObjects BI Platform Central Management Console Promotion Management Application Version – ENTERPRISE 430, 2025, 2027 Medium 4.1 3595141 [CVE-2025-42971] Memory Corruption vulnerability in SAPCAR Product- SAPCAR Version – SAP_CAR 7.53, 7.22EXT Medium 4.0 3557179 [CVE-2025-42978] Insufficiently Secure Hostname Verification for Outbound TLS Connections in SAP NetWeaver Application Server Java Product- SAP NetWeaver Application Server Java Version – ENGINEAPI 7.50 Low 3.5 3608156 [CVE-2025-42954] Denial of service (DOS) in SAP NetWeaver Business Warehouse (CCAW application) Product- SAP NetWeaver Business Warehouse (CCAW application) Version – DW4CORE 100, 200, 300, 400, SAP_BW 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 816, SAP_BW_VIRTUAL_COMP 701 Low 2.7 To know more about the security researchers and research companies who have contributed for security patches of this month, visit here. SAP is committed to delivering trustworthy products and cloud services. Secure configuration is essential to ensuring secure operation and data integrity. We have therefore documented security recommendations that are consolidated in this document to help you configure the best security for your SAP portfolio. Archived blogs from previous years are available here. If you have any comments or feedback about this post, you can write to secure@sap.com ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================