SAP February Patch Day: 18 Security Advisories Address Severe Vulnerabilities

SAP has released 18 security advisories as part of its February Patch Day, highlighting multiple vulnerabilities across various products, some of which are classified as high risk. IT administrators are urged to promptly download and implement the available updates.

The advisory details indicate that the most critical vulnerability affects SAP BusinessObjects, where attackers with administrative privileges could create or obtain secret passphrases, potentially impersonating any user within the system (CVE-2025-0064, CVSS 8.7, Risk Level: High).

Additionally, the Supplier Relationship Management (SRM) software has a path traversal vulnerability that allows unauthenticated attackers to download arbitrary files, leading to potential access to sensitive information (CVE-2025-25243, CVSS 8.6, Risk Level: High). Another notable risk is in the Node.js package of SAP's Approuter, where malicious actors can bypass authentication and hijack user sessions by injecting malicious data (CVE-2025-24876, CVSS 8.1, Risk Level: High).

The full list of advisories includes:

• Improper Authorization in SAP BusinessObjects Business Intelligence platform (Central Management Console), CVE-2025-0064, CVSS 8.7, Risk Level: High
• Path Traversal Vulnerability in SAP Supplier Relationship Management (Master Data Management Catalog), CVE-2025-25243, CVSS 8.6, Risk Level: High
• Authentication Bypass via Authorization Code Injection in SAP Approuter, CVE-2025-24876, CVSS 8.1, Risk Level: High
• Multiple Vulnerabilities in SAP Enterprise Project Connection, CVE-2024-38819, CVSS 7.5, Risk Level: High
• Open Redirect Vulnerability in SAP HANA Extended Application Services, CVE-2025-24868, CVSS 7.1, Risk Level: High
• SameSite Defense in Depth Not Applied for Some Cookies in SAP Commerce, CVE-2025-24875, CVSS 6.8, Risk Level: Medium
• Missing Defense in Depth Against Clickjacking in SAP Commerce (Backoffice), CVE-2025-24874, CVSS 6.8, Risk Level: Medium
• Cross-Site Scripting (XSS) Vulnerability in SAP BusinessObjects Business Intelligence Platform (BI Launchpad), CVE-2025-24867, CVSS 6.1, Risk Level: Medium
• Insecure Key & Secret Management Vulnerability in SAP GUI for Windows, CVE-2025-24870, CVSS 6.0, Risk Level: Medium
• Multiple Vulnerabilities in Apache Solr within SAP Commerce Cloud, CVE-2024-45216, CVE-2024-45217, CVSS 5.5, Risk Level: Medium
• Cross-Site Scripting (XSS) Vulnerability in SAP NetWeaver Application Server Java, CVE-2025-0054, CVSS 5.4, Risk Level: Medium
• Missing Authorization Check in SAP Fiori Apps Reference Library (My Overtime Requests), CVE-2025-25241, CVSS 5.4, Risk Level: Medium
• Missing Authorization Check in SAP NetWeaver and ABAP Platform (SDCCN), CVE-2025-23187, CVSS 5.3, Risk Level: Medium
• Information Disclosure Vulnerability in SAP NetWeaver Application Server ABAP, CVE-2025-23193, CVSS 5.3, Risk Level: Medium
• Information Disclosure Vulnerability in SAP NetWeaver Application Server Java, CVE-2025-24869, CVSS 4.3, Risk Level: Medium
• Missing Authorization Check in SAP ABAP Platform (ABAP Build Framework), CVE-2025-24872, CVSS 4.3, Risk Level: Medium
• Missing Authorization Check in SAP NetWeaver and ABAP platform (ST-PI), CVE-2025-23190, CVSS 4.3, Risk Level: Medium
• Cache Poisoning through Header Manipulation Vulnerability in SAP Fiori for SAP ERP, CVE-2025-23191, CVSS 3.1, Risk Level: Low

In comparison, the January Patch Day addressed 14 security vulnerabilities, several of which were deemed critical. The emphasis on security continues to be paramount as organizations rely more heavily on SAP solutions.