Details to be disclosed:
In a move to bolster the security of its Business Intelligence Platform, SAP has published thirteen new security patches on the first patch day of 2025. These patches address a series of critical vulnerabilities that could potentially compromise the confidentiality, integrity, and availability of SAP systems.
One of the most significant vulnerabilities, addressed by SAP security note #3474398, allows an unauthenticated attacker to perform a session hijacking over the network without user interaction. This vulnerability affects SAP NetWeaver AS for ABAP and the ABAP platform, placing most SAP systems at high risk without patches.
Another critical vulnerability, rated with a CVSS score of 7.8, is described in security note #3542533. This DLL-hijacking vulnerability in SAPSetup can enable an attacker with local user rights or access to the Windows account of a compromised corporate user to gain broader permissions.
The Onapsis Platform is being updated to integrate these newly published vulnerabilities into the product. The Onapsis Research Labs team, which contributed to patching two hot news vulnerabilities and some remotely exploitable function modules in SAP systems, is also working on fixing these issues.
In January 2025, SAP collaborated with the security company CrowdStrike to address two HotNews vulnerabilities and one medium-priority security vulnerability. The Onapsis Research Labs team also worked on fixing a vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform, where an authenticated user with limited access can inject malicious JS code to read sensitive information from the server and impersonate a user with strong rights.
Security note #3550674 patches these function modules by disabling them, while security note #3550708 disables a vulnerability that allows an attacker to read decrypted clear-text login credentials in SAP NetWeaver AS for ABAP and the ABAP Platform.
Three of the thirteen security notes were provided in collaboration with Onapsis Research Labs. SAP security note #3537476 addresses an unauthorized authentication vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform. This vulnerability allows an attacker to capture login credentials from internal RFC communication and impersonate the caller towards Server A.
Two of the thirteen security notes are HotNews notes. For more details about all security notes, visit the Onapsis Blog. Subscribing to the Defenders Digest Onapsis Newsletter provides more information on the latest SAP security issues and Onapsis's continuous efforts to share knowledge with the security community.
Lastly, SAP security note #3550816 disables some remotely exploitable function modules that an attacker could use to inject SQL code when accessing Informix databases. It's crucial for SAP users to apply these patches promptly to ensure the security of their systems.
