The second Tuesday of each month is SAP Patch Day, a day in which SAP releases software corrections. It is recommended that security leaders prioritize the implementation of these patches. 

On May 13, 2025, SAP Patch Day saw 16 new security notes and 2 updated security notes. For security leaders who want to take a deeper dive into this, a SAP Security Analyst examines the updates below. 

Breaking Down May 2025’s SAP Patch Day

Jonathan Stross, SAP Security Analyst at Pathlock:

May 2025’s SAP Patch Day highlights several serious vulnerabilities in legacy UI components, authorization frameworks and interface layers. With two CVEs at or near the maximum CVSS score, and multiple system-level flaws, timely patching is imperative. Organizations are encouraged to perform thorough system reviews, deprecate outdated Java-based components (such as those in Live Auction Cockpit), and adopt SAP’s recommended hardening practices.

SAP today released a total of 18 security notes, including 16 new notes and 2 updates to previously published advisories. The May release addresses a broad spectrum of vulnerabilities, ranging from critical authorization issues to remote code execution, information disclosure, and cross-site scripting. Two particularly dangerous flaws affect SAP NetWeaver Visual Composer, both with CVSS scores over 9.0. Additionally, critical vulnerabilities are present in SAP S/4HANA, Business Objects, and Live Auction Cockpit.

Let’s examine the most significant updates in this month’s release.

CVE-2025-31324 – Missing Authorization Check in SAP NetWeaver Visual Composer

This critical vulnerability (CVSS 10.0) allows unauthenticated users to upload malicious executables to the Visual Composer development server. If exploited, this can lead to complete system compromise, including data theft and service disruption. The fix applies to VCFRAMEWORK 7.50 and must be implemented immediately. This note updates the April 2025 Patch Day release.

CVE-2025-42999 – Insecure Deserialization in SAP NetWeaver Visual Composer

Following up on the previous issue, this separate but related vulnerability (CVSS 9.1) allows privileged users to exploit insecure deserialization and potentially execute malicious code on the host system. SAP has removed the vulnerable deserialization logic and recommends optional integration with Virus Scan Interface (VSI). Organizations using SAP NetWeaver Visual Composer should apply this patch in parallel with CVE-2025-31324.

CVE-2025-30018 – Multiple Vulnerabilities in SAP SRM Live Auction Cockpit

A set of five vulnerabilities affect the Live Auction Cockpit in SAP SRM (CVSS up to 8.6), including: Blind XXE, Reflected XSS, Open Redirect, Information Disclosure, and Insecure Deserialization. These stem from deprecated Java applets and can be exploited without authentication. Organizations using SRM 7.14 should decommission the Java applet components and follow SAP Note guidance for safe configurations.

CVE-2025-43010 – Code Injection in SAP S/4HANA SCM Master Data Layer

With a CVSS score of 8.3, this vulnerability allows low-privileged users to remotely inject ABAP code that can modify or destroy system programs. The vulnerable function module has been deprecated. Affected are both on-premise and private cloud installations across multiple S4CORE and SCM_BASIS versions.

CVE-2025-43000 – Information Disclosure in SAP BusinessObjects PMW

This vulnerability (CVSS 7.9) in the Promotion Management Wizard (PMW) allows attackers to access restricted files. SAP recommends isolating PMW installations and patching all relevant servers. Affected systems include SAP BusinessObjects Enterprise versions 430, 2025, and 2027.

CVE-2025-43011 – Missing Authorization in SAP Landscape Transformation (PCL)

A missing authorization check in the PCL Basis module allows low-privileged users to access restricted transformation functions (CVSS 7.7). This vulnerability affects a wide range of DMIS and S4CORE versions, and can expose sensitive business process data.

CVE-2024-39592 – SAP PDCE (Update to July 2024 Note)

An updated fix addresses a high-severity (CVSS 7.7) authorization bypass in SAP PDCE, affecting business analytics components. This is an update to a previously released note from July 2024 and extends support for newer SP levels.

My patching and mitigation recommendations include:

• Patch all Critical and High CVSS vulnerabilities immediately.
• For Medium CVSS vulnerabilities, prioritize based on business exposure and ease of exploitation.
• Where updates aren’t possible, mitigation strategies like disabling vulnerable components, isolating services (e.g., PMW), and enforcing stricter RFC authorization checks (via SACF) are recommended.