Unveiling the latest developments:
In the latest SAP Patch Day of June 2025, a total of twelve new and updated security patches were released, with two of them marked as High Priority. These High Priority Notes are of significant concern for users of SAP NetWeaver environments, as they are exposed to critical vulnerabilities disclosed in the June 2025 patchday. Immediate patching and security measures are required to mitigate the risks.
One of the High Priority Notes, SAP Security Note #3457592, addresses two Cross-Site Scripting (XSS) vulnerabilities in SAP Financial Consolidation. With a CVSS score of 8.1, these vulnerabilities pose a high risk and could allow an attacker to embed a malicious script into a link, potentially accessing or modifying information in the victim's browser. This, in turn, impacts the application's confidentiality and integrity.
Another High Priority Note, SAP Security Note #3460407, patches a Denial of Service (DoS) vulnerability in the Meta Model Repository services of SAP NetWeaver AS Java. This vulnerability, tagged with a CVSS score of 7.5, could potentially disrupt the services, causing significant operational disruptions.
SAP NetWeaver AS Java and SAP Financial Consolidation were the primary systems affected by the High Priority Notes. In the case of SAP NetWeaver AS Java, an Information Disclosure vulnerability was detected in the Guided Procedures component, tracked under CVE-2024-28164. This vulnerability allows an unauthenticated user to access non-sensitive information about the server.
Other notable security patches released in June include SAP Security Note #3425571, which patches an Information Disclosure vulnerability in the Guided Procedures component with a CVSS score of 5.3, and SAP Security Note #3457265, which patches a Missing Authorization Check vulnerability in SAP SLcM with a CVSS score of 5.4.
It's important to note that customers are only affected by the vulnerabilities associated with SAP Security Note #3459379 if they have applied SAP Note #3328365 before or if they are on the equivalent Support Package level of this SAP Note. After applying the patch for SAP Security Note #3459379, it is recommended to check the system's virus scan profile settings.
Onapsis Research Labs, a leading cybersecurity firm, contributed to 50% of all new SAP Security Notes in June. The new team members from Romania at Onapsis Research Labs also played a part in creating some of the June Security Notes.
Lastly, a Missing Authorization Check vulnerability was detected in a remote-enabled function module of SAP Student Life Cycle Management (SLcM), while an XSS vulnerability was detected in SAP CRM due to insufficient input validation in the WebClient UI. SAP Security Note #3465129 patches the XSS vulnerability in SAP CRM, with a CVSS score of 6.1, and SAP Security Note #3453170 patches a Denial of Service vulnerability in SAP NetWeaver AS ABAP and ABAP platform, with a CVSS score of 6.5.
In conclusion, it is crucial for SAP users to stay vigilant and promptly apply the necessary security patches to protect their systems from potential vulnerabilities. For more information and guidance, users are encouraged to refer to the SAP Security Notes and consult with their IT departments or cybersecurity providers.
Read also:
- Expanded Criticism of Human Rights Protections - Specialists Criticize Russia's Intensified Crackdown on Virtual Private Networks and Encrypted Applications
- Cyber Attack Nets $14 Million from WOO X Across Four Different Blockchains
- Auto industry giants Fescaro and TUV Nord team up for cybersecurity certification in automobiles
- Nigerian Securities and Exchange Commission (SEC) teams up with Chainalysis to combat cryptocurrency fraud activities
