SAP Security Notes, May 2025
Hot news note 3594142 patches a critical missing authorization check in the development server of Visual Composer within SAP NetWeaver Application Server Java (AS Java). The note addresses CVE-2025-31324, a zero-day vulnerability discovered and reported by ReliaQuest on April 22. The note includes a correction for specific support packages of version 7.50 of AS Java. Workarounds are detailed in the Knowledge Base Article (KBA) 3593336 for earlier versions that are no longer maintained by SAP. The recommended workaround is the complete removal of the Visual Composer Metadata Uploader application using a telnet connection or the NetWeaver Development Studio. An Access Control List (ACL) in the ICM and/or network firewall rules can be applied to limit access to the Visual Composer if the component is required in AS Java systems. The steps are detailed in the KBA.
The corrections for CVE-2025-31324 can also be applied through note 3604119, which addresses a deserialization vulnerability in the Visual Composer. The note should be applied irrespective of the implementation status of note 3594142.
Note 3600859 disables a vulnerable remote-enabled function module in S/4HANA that can be exploited by threat actors to replace SAP programs including standard ABAP programs. The function module is not used by standard SAP processes. Calls to the function module will generate a dump after the correction in the note is applied.
Note 3578900 patches multiple vulnerabilities in SAP Supplier Relationship Management (SRM), including blind XML External Entity (XXE), reflected Cross-Site Scripting (XSS), and information disclosure. The vulnerabilities are due to a deprecated Java Applet used by SRM Live Auction.
Notes 3591978 and 3483344 provide corrections for high-priority missing authorization checks in SAP Landscape Transformation and SAP PDCE, respectively.