SAP Security Notes, June 2025
Hot news note 3600840 patches a critical missing authorization check in SAP NetWeaver Application Server ABAP (AS ABAP) that could lead to an escalation of privileges. The vulnerability is due to the failure to check the RFC start authorization S_RFC for transactional (tRFC) and queued RFC (qRFC) calls during the playback of recorded RFCs. It impacts Kernel versions 789, 793, 914 and 915 for AS ABAP. Note 3600840 applies additional authorization checks for tRFC and qRFC calls to address the vulnerability. The note is supported by Knowledge Base Article (KBA) 3601919. According to the KBA, once the note and Kernel patches are applied, the event ID FU6 should be activated in the security audit log. FU6 will capture RFC scenarios that require the additional RFC authorizations. The checks for the authorizations should be activated by setting profile parameter rfc/authCheckInPlayback to 1 after the required user permissions are updated.
Note 3609271 addresses a high-risk information disclosure vulnerability in SAP GRC that could enable attackers to modify system credentials using a SMB Relay Attack. The vulnerability impacts the AC Plugin of SAP GRC.
Note 3606484 provides corrections for SAP Business Warehouse (BW) to prevent attackers from dropping arbitrary SAP tables, resulting in the loss of database records. The corrections remove vulnerable code in the impacted RFC function module.
Note 3610006 patches multiple memory corruption and session management vulnerabilities in the SAP Master Data Management (MDM) Server using randomized session token generation.
Note 3560693 applies input validation to address a stored cross-site scripting vulnerability in BI Workspace within SAP BusinessObjects Business Intelligence.