The July 2025 SAP Security Notes feature several “hot news” patches for critical insecure deserialization vulnerabilities in SAP NetWeaver AS Java components. The most severe issue is a 10.0 CVSS score vulnerability in SAP SRM, alongside a critical code injection flaw in S/4HANA and SCM that could allow for a full system takeover.
SAP’s July 2025 patch release addresses multiple high-priority threats, led by a series of “hot news” notes (3610892, 3621236, 3620498, 3621771) targeting insecure deserialization in SAP NetWeaver AS Java. These flaws can lead to malicious code execution. The month’s most critical patch, Note 3578900, corrects a 10.0 CVSS vulnerability, also for insecure deserialization, in the Live Auction Cockpit of SAP SRM. Another major threat is a code injection vulnerability in SAP S/4HANA and SAP SCM, fixed by Note 3618955, which could allow attackers to gain complete control of affected systems. Other significant patches address privilege escalation in NetWeaver AS ABAP (3623440), a denial-of-service risk in SAP BW (3623255), and outdated Apache Struts components in SAP BOBJ (3565279). Organizations should prioritize the application of these patches to mitigate significant security risks.
Key Takeaways
- Apply multiple “hot news” patches for insecure deserialization in SAP NetWeaver AS Java.
- Prioritize Note 3578900, which fixes a 10.0 CVSS score vulnerability in SAP SRM.
- Patch the critical code injection flaw in SAP S/4HANA and SCM (Note 3618955).
- Address privilege escalation and denial-of-service risks in NetWeaver ABAP and BW.
- Update vulnerable Apache Struts components in SAP BusinessObjects (BOBJ).
- Review workarounds for disabling the LogViewer if immediate patching is not possible.
What are the most critical vulnerabilities for July 2025?
The July 2025 patch day is significant due to the high number of critical vulnerabilities, including six “hot news” notes. The most urgent issues involve a perfect 10.0 CVSS score vulnerability in SAP SRM, a series of insecure deserialization flaws in NetWeaver AS Java, and a critical code injection vulnerability affecting S/4HANA and SCM. Organizations should prioritize these patches to prevent potential system compromise.
The following table summarizes the most important notes released this month:
| Note Number | Vulnerability Type | Affected Product(s) | Criticality / CVSS Score |
|---|---|---|---|
| 3578900 | Insecure Deserialization | SAP SRM (Live Auction Cockpit) | 10.0 |
| 3618955 | Code Injection | SAP S/4HANA, SAP SCM | 9.9 |
| 3610892 | Insecure Deserialization | SAP NetWeaver AS Java (XML Data Archiving) | 9.1 (Hot News) |
| 3621236 | Insecure Deserialization | SAP NetWeaver AS Java (Enterprise Portal Admin) | 9.1 (Hot News) |
| 3620498 | Insecure Deserialization | SAP NetWeaver AS Java (Federated Portal Network) | 9.1 (Hot News) |
| 3621771 | Insecure Deserialization | SAP NetWeaver AS Java (Log Viewer) | 9.1 (Hot News) |
| 3623440 | Escalation of Privileges | SAP NetWeaver AS ABAP | High |
| 3623255 | Denial of Service | SAP Business Warehouse (BW) | High |
| 3565279 | Insecure File Operations | SAP BusinessObjects (BOBJ) | 8.0 |
| 3610591 | Directory Traversal | SAP NetWeaver Visual Composer | High |
What Are the “Hot News” Insecure Deserialization Vulnerabilities?
A significant focus of the July 2025 patches is on insecure deserialization, a dangerous class of vulnerability where an application processes untrusted data without proper validation. This month, SAP released four “hot news” notes with a CVSS score of 9.1 to address these flaws in various SAP NetWeaver AS Java components. Successful exploitation could allow an attacker to execute malicious code, leading to a high impact on confidentiality, integrity, and availability.
The affected components and corresponding notes are:
- XML Data Archiving Service: Note 3610892
- Enterprise Portal Administration: Note 3621236
- Federated Portal Network: Note 3620498
- Log Viewer: Note 3621771
What Other High-Priority Patches Were Released?
Beyond the critical deserialization and code injection flaws, several other important notes were released. Note 3623440 addresses a privilege escalation vulnerability in SAP NetWeaver AS ABAP by introducing stricter authorization checks. Another note, 3623255, protects SAP Business Warehouse (BW) from a potential denial-of-service attack by securing a vulnerable function module.
Additionally, Note 3565279 patches older, vulnerable versions of Apache Struts in SAP BusinessObjects Business Intelligence (BOBJ), and Note 3610591 corrects a directory traversal vulnerability in SAP NetWeaver Visual Composer.
Frequently Asked Questions (FAQ)
Q: What is the single most critical SAP vulnerability patched in July 2025?
A: The most critical vulnerability is an insecure deserialization flaw in the Live Auction Cockpit of SAP Supplier Relationship Management (SRM), addressed by Note 3578900. It has a CVSS score of 10.0, the highest possible rating, allowing an unauthenticated attacker to potentially execute arbitrary OS commands.
Q: Are there any workarounds if I cannot patch immediately?
A: Yes, a workaround is available for the insecure deserialization vulnerability in the Log Viewer (Note 3621771). The instructions include disabling the LogViewer service. After disabling it, log files can still be analyzed directly from the file system or by using the SAP Management Console (SAP MMC).
Q: Which SAP products are affected by the critical code injection vulnerability?
A: A critical code injection vulnerability, patched by Note 3618955, affects SAP S/4HANA and SAP Supply Chain Management (SCM). This flaw could allow an authenticated attacker to create and execute malicious reports, potentially taking full control of the system.