Enterprise software maker SAP on Tuesday announced the release of 21 new and three updated security notes on its March 2025 security patch day.
The company included five high-priority security notes in its advisory, namely three new notes that address vulnerabilities in Commerce, NetWeaver, and Commerce Cloud, and two updated notes that resolve flaws in Approuter and PDCE.
The most severe of these issues are CVE-2025-27434 and CVE-2025-26661 (CVSS score of 8.8), described as a cross-site scripting (XSS) bug in Commerce and a missing authorization check in NetWeaver.
The XSS issue resides in the open source library Swagger UI, and could allow an unauthenticated attacker to inject malicious code if they convince a user “to place a malicious payload into an input field”, application security firm Onapsis notes.
The NetWeaver vulnerability was discovered in the transaction SA38, and allows access to restricted functionality.
SAP also released patches for Commerce Cloud to resolve two high-severity bugs in Apache Tomcat that could be exploited to cause a denial-of-service (DoS) condition or bypass authentication.
The updated high-priority security notes resolve an authentication bypass in Approuter and a missing authorization check in PDCE. The notes were initially published in February 2025 and July 2024.
On Tuesday, SAP also announced the release of 15 medium-priority security notes that resolve flaws in Business One, NetWeaver, Business Warehouse, BusinessObjects, Web Dispatcher and Internet Communication Manager, S/4HANA, Fiori apps, and Permit to Work.
SAP also released five low-priority notes this week, including a note with a CVSS score of 0.0, which “provides best practice information about custom Java applications in SAP BTP implemented with the Spring Framework,” as Onapsis explains.
The note provides details on the endpoints that the debugging and monitoring tool Spring Boot Activator may expose, and which could introduce serious vulnerabilities is not properly secured.
Related: SAP Releases 21 Security Patches
Related: SAP Patches Critical Vulnerabilities in NetWeaver
Related: SAP Patches Critical Vulnerability in NetWeaver
Related: SAP Patches High-Severity Vulnerability in Web Dispatcher
About The Author
Original post here
