SAP Patches Critical Vulnerabilities in NetWeaver Platform
2025-01-15
Learn about the critical importance of patch management to protect SAP systems from severe vulnerabilities and safeguard enterprise data.
SAP's January 2025 Patch Day includes the release of 14 new security notes, addressing critical vulnerabilities in its NetWeaver platform. The most severe issues involve an improper authentication bug and an information disclosure flaw, both posing significant risks to application confidentiality, integrity, and availability. Additional patches resolve a high-severity SQL injection vulnerability in NetWeaver and other notable flaws in SAP's BusinessObjects Business Intelligence platform and SAPSetup. The remaining notes cover medium- and low-severity defects across various SAP components.
Patch Management, Weak or Compromised Credentials, Web App/Website Vulnerability
SAP, NetWeaver, ABAP, CVE-2025-0070, CVE-2025-0066, SQL Injection, Vulnerability Patch
CVE-2025-0070; CVE-2025-0066; CVE-2025-0063; CVE-2025-0061; CVE-2025-0060; CVE-2025-0069
NetWeaver AS for ABAP, ABAP Platform, Informix database, BusinessObjects Business Intelligence platform, SAPSetup, Business Workflow, Flexible Workflow, GUI for Windows
SAP has issued a critical security update as part of its January 2025 Patch Day, releasing 14 new security notes. These updates focus on resolving significant vulnerabilities in the NetWeaver platform, among others, to enhance the security of their enterprise software solutions. Among the most crucial updates are fixes for two critical vulnerabilities in the NetWeaver AS for ABAP and ABAP Platform. Both vulnerabilities have been assigned a CVSS score of 9.9, indicating their severity. Improper Authentication (CVE-2025-0070): This vulnerability involves improper authentication, which could allow attackers to intercept credentials from internal RFC communication between an HTTP client and server within the same system. The risk here is that attackers could use these credentials to impersonate an internal caller, potentially compromising the confidentiality, integrity, and availability of the application. Information Disclosure (CVE-2025-0066): This flaw could enable attackers to access decrypted plaintext credential information under certain conditions. Such exposure might allow unauthorized access to communicate with other systems, posing a significant security risk. SAP's security updates also cover other high-severity vulnerabilities: SQL Injection in NetWeaver (CVE-2025-0063): This vulnerability affects the Informix database and could allow attackers to manipulate and take over data. With a CVSS score of 8.8, it is crucial for organizations using this database to apply the patch promptly. BusinessObjects Business Intelligence Platform: Two high-severity bugs, tracked as CVE-2025-0061 and CVE-2025-0060, have been resolved, enhancing the security of this platform. DLL Hijacking in SAPSetup (CVE-2025-0069): This vulnerability involves DLL hijacking, which could allow unauthorized code execution if exploited. In addition to the critical and high-severity vulnerabilities, the security notes address several medium- and low-severity issues. These include security defects in Business Workflow and Flexible Workflow, NetWeaver, GUI for Windows, and BusinessObjects. While these may not pose an immediate threat, addressing them can further strengthen the overall security posture.SAP January 2025 Security Patch Overview
Key Vulnerabilities in NetWeaver
Additional Vulnerabilities Addressed
Medium- and Low-Severity Issues
https://www.securityweek.com/sap-patches-critical-vulnerabilities-in-netweaver/