SAP Security Notes, August 2025
Hot news notes 3581961 and 3627998 patch critical code injection vulnerabilities in SAP S/4HANA. Both notes have CVSS scores of 9.9/10. The vulnerabilities impact the function modules /SLOAP/GEN_MODULE_REPORT and /SLOAE/DEPLOY that can be exploited to install backdoors that bypass authorization checks. The function modules are used for reporting and analysis and are included in S4CORE.
Note 3633838 patches an equally critical code injection vulnerability in the Analysis Platform of SAP Landscape Transformation.
Note 3611184 addresses high risk memory corruption and reflected cross-site scripting (XSS) vulnerabilities in SAP NetWeaver Application Server ABAP (AS ABAP). The vulnerabilities impact BIC documents used for batch processing. As a workaround, the BIC ICF service can be deactivated using transaction SICF.
Note 3602656 patches a privilege escalation vulnerability in NetWeaver AS ABAP by improving permissions for the barcode interface using authorization object S_WFAR_OBJ.
Note 3601480 provides a kernel patch to prevent the logging of sensitive tokens in HTTP logs for the Internet Communication Manager (ICM) in NetWeaver AS ABAP. The vulnerability can also be addressed by avoiding the use of specific log formats using profile parameter icm/HTTP_logging_0.