SAP’s April 2025 security update addresses several critical and high-risk vulnerabilities, led by a command injection flaw in S/4HANA that could allow full system compromise. Other significant patches fix an authentication bypass in SAP Financial Consolidation and two information disclosure vulnerabilities in SAP BusinessObjects and NetWeaver AS ABAP.
This month’s security notes require immediate attention from administrators managing SAP S/4HANA, Financial Consolidation, BusinessObjects, and NetWeaver systems. The most severe vulnerability, detailed in Hot News note 3581961, affects all on-premise and private cloud versions of S/4HANA, enabling an attacker to create a backdoor with full administrative access via an RFC function module. Similarly critical is an authentication bypass in SAP Financial Consolidation (Note 3572688) that exposes the administrator account. High-priority notes address information disclosure risks, with one (Note 3525794) leading to passphrase leakage in SAP BusinessObjects and another (Note 3554667) exposing RFC destination credentials in NetWeaver AS ABAP. Applying the corresponding support packages and kernel patches is crucial to mitigate these risks.
Key Takeaways
- A critical command injection vulnerability (Note 3581961) impacts all SAP S/4HANA on-premise and private cloud releases.
- An authentication bypass flaw (Note 3572688) compromises the administrator account in SAP Financial Consolidation.
- High-risk information disclosure vulnerabilities expose credentials in SAP BusinessObjects (Note 3525794) and NetWeaver AS ABAP (Note 3554667).
- Standalone SAP Landscape Transformation (DMIS) installations are also affected by the S/4HANA vulnerability and require a separate patch (Note 3587115).
- Immediate patching is required for all affected systems to prevent potential system compromise.
Summary of April 2025 SAP Security Notes
The table below summarizes the key vulnerabilities addressed in the April 2025 SAP Security Notes.
| SAP Note | Priority | Vulnerability Type | Affected Product(s) | Impact |
|---|---|---|---|---|
| 3581961 | Hot News | Command Injection | SAP S/4HANA, SAP Landscape Transformation (DMIS) | Full administrative access and system compromise. |
| 3572688 | Hot News | Authentication Bypass | SAP Financial Consolidation | Compromise of the Admin account. |
| 3525794 | High | Information Disclosure | SAP BusinessObjects Business Intelligence (BOBJ) | Leakage of user authentication passphrases. |
| 3554667 | High | Information Disclosure | SAP NetWeaver AS ABAP | Discovery of credentials for RFC destinations. |
What is the Most Critical Vulnerability in April 2025?
The most critical vulnerability is a command injection flaw in SAP S/4HANA, addressed by Hot News note 3581961. This vulnerability allows an attacker to exploit a remote-enabled function module using RFC to create a backdoor, bypass authorization checks, and gain full administrative access to the system. All on-premise and private cloud releases of S/4HANA are impacted. The same vulnerability affects standalone SAP Landscape Transformation installations with the DMIS software component, which is patched via note 3587115.
What Vulnerability Affects SAP Financial Consolidation?
Hot News note 3572688 addresses a vulnerability that allows attackers to bypass authentication mechanisms in SAP Financial Consolidation. This flaw can lead to the compromise of the Admin account, which is primarily used for initial system installation, configuration, and ongoing user administration.
What Information Disclosure Vulnerabilities Were Patched?
Two high-priority notes address information disclosure vulnerabilities. Note 3525794 deals with a flaw in SAP BusinessObjects Business Intelligence (BOBJ) that could leak passphrases used for user authentication. A workaround is available by disabling Trusted Authentication in the Central Management Console. Note 3554667 patches a similar high-risk vulnerability in SAP NetWeaver AS ABAP, where an attacker could discover credentials for RFC destinations using specific RFC calls. This can be fixed with kernel patches or mitigated by disabling dynamic RFC destinations.
Frequently Asked Questions (FAQ)
What is SAP Hot News note 3581961?
It is a critical patch for a command injection vulnerability in SAP S/4HANA that allows an attacker to gain full administrative access by exploiting a vulnerable RFC function module.
Are there workarounds for these vulnerabilities?
Workarounds are available for two of the vulnerabilities. For the SAP BusinessObjects flaw (3525794), you can disable Trusted Authentication. For the NetWeaver AS ABAP vulnerability (3554667), you can disable dynamic RFC destinations by setting the profile parameter rfc/dynamicdestapi_only to 1.
Which SAP products are affected by the April 2025 security notes?
The key products affected are SAP S/4HANA (all releases), SAP Landscape Transformation (DMIS component), SAP Financial Consolidation, SAP BusinessObjects Business Intelligence (BOBJ), and SAP NetWeaver AS ABAP.