Sign in Subscribe
Vulnerability Exploits

SAP fixes critical vulnerabilities in NetWeaver application servers

SAP fixes critical vulnerabilities in NetWeaver application servers

Here is the latest information on SAP NetWeaver vulnerabilities and security patches, particularly focusing on recent updates and critical vulnerabilities.

January 2025 SAP Security Updates

Critical Vulnerabilities

In the January 2025 Security Patch Day, SAP addressed several critical vulnerabilities in its products:

  • CVE-2025-0070 (CVSS 9.9): This vulnerability involves improper authentication in the SAP NetWeaver ABAP Server and ABAP Platform. It is marked as critical and requires immediate attention to prevent exploitation15.

  • CVE-2025-0066 (CVSS 9.9): This is an information disclosure vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework). It is also rated as critical and necessitates prompt patching15.

Security Notes

SAP released 14 new Security Notes in January 2025, with two of them marked as critical. These updates are crucial for organizations using affected SAP products to mitigate potential exploitation risks.

Recent Vulnerabilities and Patches

December 2024 Security Updates

In December 2024, SAP addressed 16 vulnerabilities, including a critical Server-Side Request Forgery (SSRF) flaw in NetWeaver’s Adobe Document Services:

  • CVE-2024-47578: This critical vulnerability was part of the December 2024 Security Patch Day and involved an SSRF flaw. SAP released nine new and four updated security notes to address these vulnerabilities3.

Impact and Recommendations

Immediate Patching

Organizations using SAP NetWeaver and related products are urged to apply the patches immediately to address the critical vulnerabilities. Delaying these updates could expose systems to significant risks of exploitation.

Security Notes and Details

For a full list of addressed SAP vulnerabilities, it is recommended to refer to SAP's official Security Notes page. This resource provides detailed information on the vulnerabilities, their severity, and the necessary patches15.

Additional Context

CISA and Exploitation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) often adds critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. While the latest SAP vulnerabilities are not explicitly mentioned in CISA's KEV catalog in the provided sources, it is essential to monitor CISA's updates for any additions related to SAP products34.

In summary, the January 2025 SAP Security Patch Day includes critical fixes for SAP NetWeaver, particularly addressing improper authentication and information disclosure vulnerabilities. Ensuring timely application of these patches is crucial to maintain the security and integrity of affected systems. For more detailed information, refer to SAP's official security notes and updates.

Sources:

  • [Socradar.io: January 2025 Patch Tuesday Highlights]1
  • [Security Affairs: SAP December 2024 Security Patch Day]3
  • [Cyber Security Agency of Singapore: Security Bulletin 15 Jan 2025]5

Read next

Researchers Find Exploit Allowing NTLMv1 Despite Active Directory Restrictions

Researchers Find Exploit Allowing NTLMv1 Despite Active Directory Restrictions

Latest News on NTLMv1 Vulnerability and Active Directory Misconfiguration NTLMv1 Vulnerability and Bypassing NTLMv1 Restrictions Recent research has highlighted a significant vulnerability related to NTLMv1 in Active Directory environments, which can be exploited despite Microsoft's efforts to block NTLMv1. Misconfigured On-Prem Applications Researchers have discovered that misconfigured on-premises
Geetansh