{"id":2303,"date":"2025-03-12T16:45:17","date_gmt":"2025-03-12T16:45:17","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2303"},"modified":"2025-03-12T16:45:17","modified_gmt":"2025-03-12T16:45:17","slug":"sap-patches-severe-vulnerabilities-in-netweaver-and-commerce-apps","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2303","title":{"rendered":"SAP patches severe vulnerabilities in NetWeaver and Commerce apps"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p><a href=\"https:\/\/www.cio.com\/article\/3487010\/sap-latest-news-and-insights.html\">SAP<\/a> has patched high-severity vulnerabilities in its Commerce and NetWeaver enterprise software packages.<\/p>\n<p>The updates came as part of 25 security patches released on Tuesday for the latest edition of SAP\u2019s monthly patch release cycle.<\/p>\n<p>SAP Security Note <a href=\"https:\/\/me.sap.com\/notes\/3563927\">#3563927<\/a> addresses a critical vulnerability in transaction SA38 SAP NetWeaver Application Server ABAP. If successfully exploited, the vulnerability (tracked as CVE-2025-26661) grants access to Class Builder functions that ought to be restricted to the ABAP Development Workbench.<\/p>\n<p>The vulnerability scores 8.8 on the CVSS scale, well toward the critical end of the spectrum.<\/p>\n<p>SAP NetWeaver Application Server ABAP (AS ABAP) is a middleware component in SAP\u2019s software stack that acts as a foundation for many SAP applications. The technology ties together user interaction and desktop component integration (presentation layer), ABAP application servers and message servers (application layer), and databases.<\/p>\n<p>ABAP is SAP\u2019s proprietary language.<\/p>\n<p>SAP Security Note <a href=\"https:\/\/me.sap.com\/notes\/3569602\">#3569602<\/a> covers a cross-site scripting (XSS) vulnerability in SAP Commerce, stemming from security bugs in the open-source library swagger-ui bundled with the widely used middleware.<\/p>\n<p>Tracked as CVE-2025-27434, the flawed explore feature of Swagger UI creates a potential mechanism for an unauthenticated attacker to inject malicious code from remote sources through a DOM-based XSS attack. Any potential victim would first need to be tricked into placing a malicious payload into an input field, potentially via social engineering trickery.<\/p>\n<p>If successful, attackers would be able to breach the confidentiality, integrity, and availability of the application \u2014 earning the vulnerability a high CVSS score of 8.8.<\/p>\n<p>Enterprises are advised to promptly triage the vulnerability or, at minimum, remove any use of swagger-ui in SAP Commerce or block access to Swagger consoles as work-arounds to block potential exploitation.<\/p>\n<p>Another update, SAP Security Note <a href=\"https:\/\/me.sap.com\/notes\/3566851\">#3566851<\/a>, tagged with a CVSS score of 8.6, involves a denial of service (DoS) and an unchecked error condition vulnerability in SAP Commerce Cloud.<\/p>\n<p>The same update patches Apache Tomcat, a platform for hosting Java-based web applications, implementing Java Servlet and JavaServer Pages (JSP) specifications, to offer a catch-up on vulnerabilities first discovered last year (<a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2024-38286\">CVE-2024-38286<\/a> and <a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2024-52316\">CVE-2024-52316<\/a>).<\/p>\n<h2 class=\"wp-block-heading\">Additional SAP patches of note<\/h2>\n<p>Missing authorization checks in SAP PDCE <strong>FIN-BA (CVE-2024-39592, with a CVSS score of 7.7) are covered in another security update (SAP Security <\/strong><a href=\"https:\/\/me.sap.com\/notes\/3483344\">#3483344<\/a><strong>).<\/strong><\/p>\n<p>Enterprises that have deployed custom Java applications in SAP BTP implemented using the Spring Framework are advised to review SAP Security <a href=\"https:\/\/me.sap.com\/notes\/3576540\">#3576540<\/a>, an advisory that offers best practice guidance.<\/p>\n<p>\u201cDevelopers often use the Spring Boot Activator, a tool exposing various URL endpoints that offer real-time application data, aiding in debugging and monitoring,\u201d explains a <a href=\"https:\/\/onapsis.com\/blog\/sap-patch-day-march-2025\/\">blog post by enterprise application security specialists Onapsis<\/a>. \u201cHowever, without proper security measures, these endpoints can introduce serious vulnerabilities.\u201d<\/p>\n<p>The note lists the affected endpoints in detail and describes detailed conditions for affected applications.<\/p>\n<p>Another bulletin, SAP Security Note <a href=\"https:\/\/me.sap.com\/notes\/3567974\">#3567974<\/a>, contains updated guidance about a vulnerability in SAP App Router addressed by the ERP software vendor last month.<\/p>\n<p>The remainder of SAP\u2019s March patch batch address \u201cmedium\u201d and \u201clow\u201d impact flaws, as summarized in Onapsis\u2019 blog post.<\/p>\n<p>A full run down on SAP\u2019s patches can be found <a href=\"https:\/\/support.sap.com\/en\/my-support\/knowledge-base\/security-notes-news\/march-2025.html\">on the vendor\u2019s website<\/a>.<\/p>\n<p>Long viewed as an opaque black box, <a href=\"https:\/\/www.csoonline.com\/article\/3624464\/researchers-expose-a-surge-in-hacker-interest-in-sap-systems.html\">attackers are increasingly targeting enterprise systems from SAP<\/a>, research unveiled at last year\u2019s Black Hat conference revealed.<\/p>\n<p>The release of SAP\u2019s patches coincided with updates from <a href=\"https:\/\/www.csoonline.com\/article\/3843344\/march-patch-tuesday-warnings-act-fast-to-plug-zero-day-holes-in-windows-vmware.html\">Microsoft, VMware, and others<\/a>.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>SAP has patched high-severity vulnerabilities in its Commerce and NetWeaver enterprise software packages. The updates came as part of 25 security patches released on Tuesday for the latest edition of SAP\u2019s monthly patch release cycle. SAP Security Note #3563927 addresses a critical vulnerability in transaction SA38 SAP NetWeaver Application Server ABAP. If successfully exploited, the [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":2304,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2303","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2303"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2303"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2303\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2304"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2303"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2303"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2303"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}