SAP Product Security Update Advisory

Overview

We have released security updates to fix vulnerabilities in SAP products. Users of affected products are advised to update to the latest version.

 

 

Affected Products

 

Cve-2025-30012, cve-2025-30018

 

SAP Supplier Relationship Management (Live Auction Cockpit) Version: SRM_SERVER 7.14

 

CVE-2025-42967

 

SAP S/4HANA and SAP SCM (Characteristic Propagation) Versions: SCMAPO 713, 714, S4CORE 102 and above 104 and below, S4COREOP 105 and above 108 and below, SCM 700, 701, 702, 712

 

CVE-2025-42980

 

SAP NetWeaver Enterprise Portal Federated Portal Network Version: EP-RUNTIME 7.50

 

CVE-2025-42964

 

SAP NetWeaver Enterprise Portal Administration Version: EP-RUNTIME 7.50

 

CVE-2025-42966

 

SAP NetWeaver (XML Data Archiving Service) Version: J2EE-APPS 7.50

 

CVE-2025-42963

 

SAP NetWeaver Application Server for Java (Log Viewer) Version: LMNWABASICAPPS 7.50

 

CVE-2025-42959

 

SAP NetWeaver ABAP Server and ABAP Platform Versions: SAP_BASIS 700, 701, 702, 731, 740, 750 and above 758 and below, 914, 915

 

CVE-2025-42953

 

SAP NetWeaver Application Server for ABAP Versions: SAP_BASIS 701, 702, 731, 740, 750 or later, 758 or earlier, 816

 

CVE-2025-42952

 

SAP Business Warehouse and SAP Plug-In Basis versions: PI_BASIS 2006_1_700, 701, 702, 731, 740, SAP_BW 700 701, 702, 731, 740, 750 or later 758 or lower, 816

 

CVE-2025-42977

 

SAP NetWeaver Visual Composer version: VCBASE 7.50

 

 

Resolved Vulnerabilities

 

Multiple vulnerabilities in SAP Supplier Relationship Management (CVE-2025-30012, CVE-2025-30018)
Code Injection Vulnerability in SAP S/4HANA and SAP Characteristic Propagation (SCM) (CVE-2025-42967)
Deserialization Vulnerability in SAP NetWeaver Enterprise Portal Federated Portal Network (CVE-2025-42980)
Deserialization Vulnerability in SAP NetWeaver Enterprise Portal Administration (CVE-2025-42964)
Deserialization Vulnerability in SAP NetWeaver (XML Data Archiving Service) (CVE-2025-42966)
Deserialization Vulnerability in SAP NetWeaver Application Server for Java (Log Viewer) (CVE-2025-42963)
Authentication Bypass Vulnerability in SAP NetWeaver ABAP Server and ABAP Platform (CVE-2025-42959)
No Authorization Check Vulnerability in SAP NetWeaver Application Server for ABAP (CVE-2025-42953)
No Authorization Check Vulnerability in SAP Business Warehouse and SAP Plug-In Basis (CVE-2025-42952)
Directory Traversal Vulnerability in SAP NetWeaver Visual Composer (CVE-2025-42977)

 

 

Vulnerability Patches

Vulnerability patches have been made available with the latest updates. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

 

CVE-2025-30012, CVE-2025-30018, CVE-2025-42967, CVE-2025-42980, cCVE-2025-42964, CVE-2025-42966, CVE-2025-42963, CVE-2025-42959, CVE-2025-42953, CVE-2025-42952, CVE-2025-42977

 

Separate security patches available[2][3][4][5][6][7][8][9][10][11][12]

 

 

Referenced Sites

 

[1] SAP Security Patch Day – July 2025
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/july-2025.html
[2] CVE-2025-30012
https://me.sap.com/notes/3578900
[3] CVE-2025-30018
https://me.sap.com/notes/3578900

[4] CVE-2025-42967
https://me.sap.com/notes/3618955
[5] CVE-2025-42980
https://me.sap.com/notes/3620498
[6] CVE-2025-42964
https://me.sap.com/notes/3621236
[7] CVE-2025-42966
https://me.sap.com/notes/3610892
[8] CVE-2025-42963
https://me.sap.com/notes/3621771
[9] CVE-2025-42959
https://me.sap.com/notes/3600846
[10] CVE-2025-42953
https://me.sap.com/notes/3623440
[11] CVE-2025-42952
https://me.sap.com/notes/3623255
[12] CVE-2025-42977
https://me.sap.com/notes/3610591