On June 10, 2025, SAP released its monthly Security Patch Day updates, addressing 14 new vulnerabilities across various SAP products and components. This month’s release includes 1 HotNews note (CVSS score ≥ 9.0) and 4 High Priority notes (CVSS score ≥ 7.0), with a notable addition of another vulnerability affecting the previously compromised Visual Composer component.
⚠️ Visual Composer Under Continued Attack
Following the critical vulnerabilities discovered in May 2025 (CVE-2025-31324 with CVSS 10.0 and CVE-2025-42999 with CVSS 9.1), attackers have now developed new payloads targeting SAP NetWeaver Visual Composer. This month introduces CVE-2025-42977, a Directory Traversal vulnerability with CVSS 7.6, indicating that threat actors are actively developing new attack vectors for this component.
Critical Vulnerabilities (HotNews)
CVE-2025-42989: Missing Authorization check in SAP NetWeaver Application Server for ABAP
CVSS Score: 9.6 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H)
Affected Component: BC-MID-RFC-QT
Description: A critical missing authorization check vulnerability in SAP NetWeaver Application Server for ABAP that allows authenticated attackers with low privileges to significantly impact system integrity and availability with changed scope.
Priority: HotNews
Released: June 10, 2025
Recommendation: Apply patch immediately. This vulnerability allows low-privileged users to cause high impact to system integrity and availability, making it extremely dangerous in production environments.
High-Priority Vulnerabilities
CVE-2025-42982: Information Disclosure in SAP GRC (AC Plugin)
CVSS Score: 8.8 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Affected Component: GRC-ACP
Description: A severe information disclosure vulnerability in SAP GRC Access Control Plugin that could allow attackers with low privileges to access highly sensitive information and potentially compromise system integrity and availability.
Priority: Correction with high priority
Released: June 10, 2025
Recommendation: Patch immediately to prevent unauthorized access to GRC data and potential privilege escalation.
CVE-2025-42983: Missing Authorization check in SAP Business Warehouse and SAP Plug-In Basis
CVSS Score: 8.5 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H)
Affected Component: CRM-MW
Description: This vulnerability allows authenticated attackers to bypass authorization checks, potentially causing significant impact to system availability and some impact to integrity.
Priority: Correction with high priority
Released: June 10, 2025
Recommendation: Apply security updates to prevent unauthorized actions that could disrupt business warehouse operations.
CVE-2025-23192: Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence
CVSS Score: 8.2 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L)
Affected Component: BI-BIP-INV (BI Workspace)
Description: A cross-site scripting vulnerability in the BI Workspace that could allow attackers to inject malicious scripts, potentially leading to session hijacking and unauthorized access to sensitive business intelligence data.
Priority: Correction with high priority
Released: June 10, 2025
Recommendation: Update affected BI platforms to prevent XSS attacks that could compromise user sessions and business data.
CVE-2025-42977: Directory Traversal vulnerability in SAP NetWeaver Visual Composer
CVSS Score: 7.6 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N)
Affected Component: EP-VC-INF
Description: New attack vector discovered: This directory traversal vulnerability in Visual Composer represents a new payload developed by attackers following the critical May 2025 vulnerabilities. It allows authenticated users with high privileges to access files outside the intended scope.
Priority: Correction with high priority
Released: June 10, 2025
Recommendation: Immediate patching required. Visual Composer continues to be actively targeted – consider additional security controls and monitoring for this component.
CVE-2025-42994: Multiple vulnerabilities in SAP MDM Server
CVSS Score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Component: MDM-FN-MDS-SEC
Description: Multiple vulnerabilities in SAP Master Data Management Server that could allow unauthenticated attackers to cause high impact to system availability.
Priority: Correction with high priority
Released: June 10, 2025
Recommendation: Apply patches to prevent potential denial of service attacks on MDM infrastructure.
Medium-Priority Vulnerabilities
CVE-2025-42993: Missing Authorization Check in SAP S/4HANA (Enterprise Event Enablement)
CVSS Score: 6.7 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L)
Affected Component: OPU-XBE
Description: A missing authorization check that could allow high-privileged users to access sensitive information and modify data beyond their intended scope.
Priority: Correction with medium priority
Released: June 10, 2025
CVE-2025-31325: Cross-Site Scripting (XSS) Vulnerability in SAP NetWeaver (ABAP Keyword Documentation)
CVSS Score: 5.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)
Affected Component: BC-ABA-LA
Description: An XSS vulnerability in ABAP Keyword Documentation that could allow unauthenticated attackers to inject malicious scripts.
Priority: Correction with medium priority
Released: June 10, 2025
CVE-2025-42984: Missing Authorization check in SAP S/4HANA (Manage Central Purchase Contract application)
CVSS Score: 5.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L)
Affected Component: MM-PUR-HUB-CTR
Description: A missing authorization check in the central purchase contract application that could allow low-privileged users to access some sensitive information.
Priority: Correction with medium priority
Released: June 10, 2025
CVE-2025-42998: Security misconfiguration vulnerability in SAP Business One Integration Framework
CVSS Score: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Component: SBO-INT-B1IF
Description: A security misconfiguration that could allow unauthenticated attackers to access limited sensitive information.
Priority: Correction with medium priority
Released: June 10, 2025
CVE-2025-42991: Missing Authorization check in SAP S/4HANA (Bank Account Application)
CVSS Score: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
Affected Component: FIN-FSCM-CLM-BAM
Description: A missing authorization check in the bank account application that could allow minor unauthorized modifications.
Priority: Correction with medium priority
Released: June 10, 2025
CVE-2025-42987: Missing Authorization Check in SAP S/4HANA (Manage Processing Rules – For Bank Statement)
CVSS Score: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
Affected Component: FI-FIO-AR-PAY
Description: A missing authorization check that could allow authenticated users to make unauthorized modifications to bank statement processing rules.
Priority: Correction with medium priority
Released: June 10, 2025
Low-Priority Vulnerabilities
CVE-2025-42988: Server-Side Request Forgery in SAP Business Objects Business Intelligence Platform
CVSS Score: 3.7 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Component: BI-BIP-INV
Description: A server-side request forgery vulnerability that requires complex attack vectors to exploit and has limited impact.
Priority: Correction with low priority
Released: June 10, 2025
CVE-2025-42990: HTML Injection in Unprotected SAPUI5 applications
CVSS Score: 3.0 (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:N)
Affected Component: CA-UI5-SC
Description: An HTML injection vulnerability in unprotected SAPUI5 applications that requires user interaction and complex attack scenarios.
Priority: Correction with low priority
Released: June 10, 2025
Key Security Trends and Analysis
Visual Composer Continues to Be Targeted
The discovery of CVE-2025-42977 (Directory Traversal) in Visual Composer indicates that attackers are actively developing new payloads and attack vectors for this component. This follows the critical May 2025 vulnerabilities and suggests ongoing research by threat actors.
Authorization Issues Remain Prevalent
Five out of 14 vulnerabilities (36%) are related to missing authorization checks, continuing the trend observed in previous patch cycles. This highlights the ongoing challenges in properly implementing access controls across SAP landscapes.
NetWeaver ABAP Under Attack
The HotNews vulnerability CVE-2025-42989 affects NetWeaver Application Server for ABAP, a core component of most SAP installations, making this particularly critical for organizations.
Immediate Action Required
- Patch HotNews Vulnerability Immediately: CVE-2025-42989 in NetWeaver ABAP requires immediate attention due to its high CVSS score of 9.6 and potential for widespread impact.
- Strengthen Visual Composer Security: Given the continued targeting of Visual Composer, implement additional monitoring, network segmentation, and consider disabling if not actively used.
- Prioritize High-Priority Patches: Address the 5 high-priority vulnerabilities within your next maintenance window, particularly those affecting GRC and Business Intelligence platforms.
- Review Authorization Configurations: Conduct a comprehensive audit of authorization settings across all affected components, especially those with missing authorization check vulnerabilities.
- Enhanced Monitoring: Implement enhanced logging and monitoring for Visual Composer, NetWeaver ABAP, and GRC components to detect potential exploitation attempts.
- Consider Zero-Trust Architecture: The continued discovery of authorization bypass vulnerabilities suggests implementing zero-trust principles may be necessary for critical SAP components.
Bottom Line: The June 2025 SAP Security Patch Day introduces concerning developments, particularly the continued exploitation research targeting Visual Composer and a new critical vulnerability in NetWeaver ABAP. Organizations must prioritize immediate patching of the HotNews vulnerability and implement additional security controls for previously compromised components.
This analysis is based on the official SAP Security Notes released on June 10, 2025. For detailed technical information and implementation guidance, please refer to the SAP Security Notes on the SAP Support Portal.
