SAP’s August 2025 security update addresses multiple critical vulnerabilities, including two code injection flaws in SAP S/4HANA with CVSS scores of 9.9. These vulnerabilities, patched by notes 3581961 and 3627998, could allow attackers to install backdoors, bypassing all authorization checks and leading to full system compromise.
The August 2025 SAP Patch Day delivered fixes for twenty-six vulnerabilities, featuring four critical “HotNews” notes and three high-priority notes. The most severe issues involve code injection vulnerabilities in S/4HANA and SAP Landscape Transformation, which allow attackers to inject and execute arbitrary code remotely. Note 3633838 addresses an equally critical code injection flaw in the Analysis Platform of SAP Landscape Transformation, also rated at 9.9 CVSS. Additionally, several high-risk vulnerabilities in SAP NetWeaver Application Server ABAP (AS ABAP) were patched. These include memory corruption, reflected cross-site scripting (XSS), privilege escalation, and the logging of sensitive tokens. Organizations are strongly advised to apply these patches immediately to mitigate the significant risks of system compromise, data theft, and operational disruption.
Key Takeaways
- Critical S/4HANA Flaws: Notes 3581961 and 3627998 fix 9.9 CVSS code injection vulnerabilities that allow for backdoors.
- Landscape Transformation Vulnerability: Note 3633838 patches a 9.9 CVSS code injection flaw in the Analysis Platform.
- NetWeaver AS ABAP Patches: Multiple high-risk issues were fixed, including memory corruption, XSS, and privilege escalation.
- Immediate Action Required: Due to the severity and risk of full system compromise, these patches should be applied urgently.
What are the most critical vulnerabilities for August 2025?
The most critical vulnerabilities are three code injection flaws, each with a CVSS score of 9.9/10. Two of these impact SAP S/4HANA and are addressed by HotNews notes 3581961 and 3627998. These vulnerabilities affect the S4CORE function modules /SLOAP/GENMODULEREPORT and /SLOAE/DEPLOY, which can be exploited to install backdoors that bypass authorization checks. The third critical flaw, patched by note 3633838, is a similar code injection vulnerability in the Analysis Platform of SAP Landscape Transformation.
What vulnerabilities were patched in NetWeaver AS ABAP?
Several vulnerabilities in SAP NetWeaver Application Server ABAP (AS ABAP) were addressed in August 2025.
- Note 3611184: Patches high-risk memory corruption and reflected cross-site scripting (XSS) vulnerabilities related to BIC documents used for batch processing. As a temporary workaround, the BIC ICF service can be deactivated via transaction SICF.
- Note 3602656: Addresses a privilege escalation vulnerability by enhancing permissions for the barcode interface through the
SWFAROBJauthorization object. - Note 3601480: Delivers a kernel patch to stop sensitive tokens from being logged in the Internet Communication Manager (ICM) HTTP logs. This can also be mitigated by adjusting the
icm/HTTPlogging0profile parameter to avoid specific log formats.
Frequently Asked Questions (FAQ)
What was the most significant threat in the August 2025 SAP patches?
The most significant threats were three critical code injection vulnerabilities (CVSS 9.9) in SAP S/4HANA and SAP Landscape Transformation, patched by notes 3581961, 3627998, and 3633838. These could allow full system compromise.
What was the impact of the S/4HANA code injection vulnerabilities?
The vulnerabilities in S/4HANA allowed an attacker to exploit function modules to inject arbitrary ABAP code, bypassing authorization checks to create a backdoor. This could lead to a full compromise of the system’s confidentiality, integrity, and availability.
How can the NetWeaver XSS vulnerability be mitigated?
For the reflected XSS vulnerability in SAP NetWeaver AS ABAP patched by note 3611184, a workaround is available. Administrators can deactivate the BIC ICF service using transaction SICF to mitigate the risk before applying the patch.