A critical “Hot News” SAP security note headlines the June 2025 patch release, addressing a privilege escalation vulnerability in SAP NetWeaver Application Server ABAP (AS ABAP). Organizations should prioritize applying this patch, note 3600840, alongside other high-risk updates for SAP GRC, BW, MDM, and BusinessObjects.
The June 2025 SAP Security Patch Day delivers crucial fixes for a range of vulnerabilities across the SAP landscape. The most severe is a missing authorization check in the RFC framework of AS ABAP, which could allow an authenticated attacker to escalate privileges and significantly impact application integrity and availability. Another high-risk note, 3609271, patches an information disclosure vulnerability in SAP GRC that could be exploited via an SMB Relay Attack to modify system credentials. Further patches address risks of data loss in SAP Business Warehouse (BW) by preventing attackers from dropping database tables, and memory corruption issues in SAP Master Data Management (MDM). Rounding out the key updates is a fix for a stored cross-site scripting (XSS) vulnerability in SAP BusinessObjects. This month’s release underscores the importance of timely patching to mitigate risks of privilege escalation, data loss, and system compromise.
Key Takeaways for June 2025
- Critical AS ABAP Patch: Hot News note 3600840 fixes a critical privilege escalation flaw in the RFC framework.
- High-Risk GRC Vulnerability: Note 3609271 addresses an information disclosure flaw in SAP GRC’s AC Plugin.
- Data Loss Prevention in BW: Note 3606484 provides corrections to stop attackers from deleting arbitrary tables in SAP BW.
- MDM Server Hardened: Note 3610006 patches memory corruption and session management flaws in SAP MDM Server.
- BusinessObjects XSS Fixed: Note 3560693 validates input to resolve a stored cross-site scripting issue in BI Workspace.
What is the Most Critical SAP Vulnerability for June 2025?
The most critical vulnerability is a missing authorization check in SAP NetWeaver Application Server ABAP (AS ABAP), patched by Hot News note 3600840. This flaw, which carries a CVSS score of 9.6, allows an authenticated attacker to bypass standard authorization checks for transactional (tRFC) and queued RFC (qRFC) calls, leading to a significant escalation of privileges. Successful exploitation could critically impact the integrity and availability of the application. The patch applies to Kernel versions 789, 793, 914, and 915 and introduces additional authorization checks. After applying the patch, administrators must activate the checks by setting the profile parameter rfc/authCheckInPlayback to 1 and may need to update user permissions.
What Other High-Risk SAP Vulnerabilities Were Patched?
Beyond the critical Hot News note, several other high-priority vulnerabilities were addressed in the June 2025 patch release, affecting SAP GRC, BW, MDM, and BusinessObjects.
| Note Number | Component | Vulnerability Type | Risk Level |
|---|---|---|---|
| 3600840 | AS ABAP | Escalation of Privileges | Critical (Hot News) |
| 3609271 | SAP GRC | Information Disclosure (SMB Relay) | High |
| 3606484 | SAP BW | Data Loss (Table Deletion) | High |
| 3610006 | SAP MDM | Memory Corruption / Session Mgt. | High |
| 3560693 | SAP BusinessObjects | Stored Cross-Site Scripting (XSS) | Medium |
Summary of High-Priority June 2025 SAP Security Notes
- Note 3609271 (SAP GRC): This note addresses a high-risk information disclosure vulnerability in the AC Plugin of SAP GRC. An attacker could exploit this to modify system credentials using an SMB Relay Attack.
- Note 3606484 (SAP BW): This patch provides crucial corrections for SAP Business Warehouse to prevent an authenticated attacker from dropping arbitrary SAP tables, which could lead to a significant loss of database records. The fix removes vulnerable code within an RFC function module.
- Note 3610006 (SAP MDM): This note patches multiple memory corruption and insecure session management vulnerabilities in the SAP Master Data Management (MDM) Server. The fix introduces randomized session token generation to enhance security.
- Note 3560693 (SAP BusinessObjects): This patch addresses a stored cross-site scripting (XSS) vulnerability within the BI Workspace component by applying proper input validation.
Frequently Asked Questions (FAQ)
What is SAP Hot News note 3600840?
SAP Hot News note 3600840 is a critical patch for a missing authorization check vulnerability in SAP NetWeaver Application Server ABAP. It prevents authenticated users from escalating privileges by bypassing authorization checks for tRFC and qRFC calls during the playback of recorded RFCs.
What action is required after applying the patch for note 3600840?
After applying the note and required Kernel patches, administrators should activate event ID FU6 in the security audit log to monitor for scenarios needing additional authorization. The new authorization checks must be activated by setting the profile parameter rfc/authCheckInPlayback to 1 after ensuring the necessary user permissions are in place.
What is the vulnerability in SAP GRC note 3609271?
Note 3609271 patches a high-risk information disclosure vulnerability in the SAP GRC AC Plugin. The flaw could allow an attacker to modify system credentials through a technique known as an SMB Relay Attack.