SAP Releases January 2025 Updates

Updates address two critical vulnerabilities which could lead to information disclosure or privilege escalation, and fourteen others affecting multiple products

Threat ID:: CC-4603
Threat Severity:: Medium
Published:: 14 January 2025 3:22 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Updates address two critical vulnerabilities which could lead to information disclosure or privilege escalation, and fourteen others affecting multiple products

Affected platforms

The following platforms are known to be affected:

SAP NetWeaver Application Server

The following platforms are also known to be affected:

BusinessObjects Business Intelligence Platform
SAPSetup
Business Workflow and SAP Flexible Workflow
SAP GUI for Windows
SAP GUI for Java

Threat details

Introduction

SAP has released January 2025 security updates addressing multiple vulnerabilities affecting multiple product lines. Of concern are vulnerabilities affecting the SAP NetWeaver product line. SAP NetWeaver is a software stack used for many of SAP's applications. SAP NetWeaver Application Server (AS) is the runtime environment for the applications and is a requirement for all products in the mySAP Business Suite.

The below vulnerabilities affect NetWeaver AS for ABAP and ABAP Platform:

CVE-2025-0070 is an 'improper authentication' vulnerability with a CVSSv3 score of 9.9. If exploited, an authenticated attacker with low privileges could escalate privileges.
CVE-2025-0066 is an 'incorrect permission assignment for critical resource' vulnerability with a CVSSv3 score of 9.9. If exploited, an authenticated attacker with low privileges could achieve information disclosure.
CVE-2025-0063 is an 'improper neutralization of special elements used in an SQL command' vulnerability with a CVSSv3 score of 8.8. If exploited, an authenticated attacker with low privileges could perform SQL Injection.

The security updates also address 13 further vulnerabilities affecting multiple products.

Remediation advice

Affected organisations are encouraged to review the 'SAP Security Patch Day – January 2025' security notes and apply any relevant updates.

Definitive source of threat updates

https://support.sap.com/en/my-support/knowledge-base/security-notes-news/january-2025.html

CVE Vulnerabilities

Status Published

CVE-2025-0070

SAP NetWeaver Application Server for ABAP and ABAP Platform allows an authenticated attacker to obtain illegitimate access to the system by exploiting improper authentication checks, resulting in privilege escalation. On successful exploitation, this can result in potential security concerns. This results in a high impact on confidentiality, integrity, and availability.

Status Published

CVE-2025-0066

Under certain conditions SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework) allows an attacker to access restricted information due to weak access controls. This can have a significant impact on the confidentiality, integrity, and availability of an application

Status Published

CVE-2025-0063

SAP NetWeaver AS ABAP and ABAP Platform does not check for authorization when a user executes some RFC function modules. This could lead to an attacker with basic user privileges to gain control over the data in Informix database, leading to complete compromise of confidentiality, integrity and availability.

Last edited: 14 January 2025 3:22 pm