SAP Security Notes, April 2025
Hot news 3581961 patches a critical command injection vulnerability in SAP S/4HANA. Attackers can exploit a vulnerable remote-enabled function module using RFC to create a backdoor that bypasses authorization checks and provides full administrative access to the system. All releases of S/4HANA on-premise and private cloud are impacted. Corrections are included in the support package referenced in the note for the S4CORE software component.
The vulnerability also impacts standalone SAP Landscape Transformation installations with the DMIS software component. Note 3587115 includes support packages for the relevant DMIS versions.
Hot news note 3572688 addresses a vulnerability that enables attackers to bypass authentication mechanisms to compromise the Admin account in SAP Financial Consolidation. The account is primarily used for initial installation and configuration, supporting system and user administration.
Note 3525794 deals with a high priority information disclosure vulnerability in SAP BusinessObjects Business Intelligence (BOBJ) that could lead to the leakage of passphrases for user authentication. The support packages included in the note remove access to passphrases from users. A workaround is also included in the note that involves disabling Trusted Authentication in the BOBJ Central Management Console.
Note 3554667 also addresses a high-risk information disclosure vulnerability. Attackers can discover credentials for RFC destinations in SAP NetWeaver AS ABAP using specific RFC calls. The kernel patches included in the note apply the required validation for dynamic destinations to fix the vulnerability. The vulnerability can also be addressed by disabling dynamic RFC destinations using the value setting 1 for profile parameter rfc/dynamic_dest_api_only.