SAP’s security notes for March 2025 address several high-priority vulnerabilities across its product landscape. The patches include a high-risk missing authorization check in SAP NetWeaver AS ABAP, a Cross-Site Scripting (XSS) flaw in SAP Commerce, an authentication bypass in SAP Approuter, and multiple issues in SAP Commerce Cloud stemming from a vulnerable version of Apache Tomcat.
This advisory summarizes the key vulnerabilities SAP addressed in its March 11, 2025 security patch release. The most critical patch, Note 3563927, corrects a missing authorization check in SAP NetWeaver Application Server ABAP (AS ABAP) that could allow for privilege escalation. Another significant fix, Note 3569602, addresses a Cross-Site Scripting (XSS) vulnerability in SAP Commerce caused by an insecure open-source library. SAP also patched open-source component vulnerabilities in SAP Commerce Cloud (Note 3566851), which was exposed to Denial of Service and other risks through an outdated version of Apache Tomcat. Additionally, a critical authentication bypass in SAP Approuter was fixed in Note 3567974, requiring users to update to a new version to prevent code injection attacks. An update was also issued for a previously released note (3483344) concerning a missing authentication check in S/4HANA components.
Key Takeaways
- A high-risk privilege escalation vulnerability in SAP NetWeaver AS ABAP was patched.
- SAP Commerce was affected by a Cross-Site Scripting (XSS) flaw due to a vulnerable open-source library.
- SAP Commerce Cloud is impacted by Denial of Service (DoS) and other vulnerabilities via Apache Tomcat.
- An authentication bypass vulnerability was discovered and patched in SAP Approuter.
- An existing note for a missing authentication check in S/4HANA components was updated.
March 2025 SAP Security Note Details
| SAP Note | Product(s) Affected | Vulnerability Type | Impact | Recommended Action |
|---|---|---|---|---|
| 3563927 | SAP NetWeaver AS ABAP | Missing Authorization Check | Escalation of Privileges | Apply correction to restrict development functions via transaction SA38. |
| 3569602 | SAP Commerce | Cross-Site Scripting (XSS) | High impact on confidentiality, integrity, and availability. | Remove or block the vulnerable open-source component. |
| 3566851 | SAP Commerce Cloud | Denial of Service (DoS), Unchecked Error Conditions | Denial of Service, potential authentication bypass. | Apply updates that include patched Apache Tomcat versions. |
| 3567974 | SAP Approuter | Authentication Bypass (Code Injection) | Session hijacking. | Update deployments to version 16.7.2 or higher. |
| 3483344 | S/4HANA (PDCE Components) | Missing Authentication Check | Escalation of Privileges. | Apply updated patch. |
What Was the High-Risk Vulnerability in SAP NetWeaver AS ABAP?
Note 3563927 addresses a high-risk missing authorization check in SAP NetWeaver Application Server ABAP (AS ABAP) that could lead to an escalation of privileges. The vulnerability allowed for the execution of development functions using the SA38 transaction from the ABAP Class Builder. The correction restricts this capability by properly enforcing checks on the S_PROGRAM authorization object, which governs program execution based on authorization groups.
What Cross-Site Scripting (XSS) Flaw Affected SAP Commerce?
Note 3569602 patches a Cross-Site Scripting (XSS) vulnerability in SAP Commerce. The flaw originated from insufficient input validation within an open-source library (Swagger UI) included in the product. An unauthenticated attacker could inject malicious code, leading to a high impact on confidentiality, integrity, and availability. The note provides a workaround that involves removing the use of the vulnerable component or blocking access to it via network controls.
Which Vulnerabilities Impacted SAP Commerce Cloud?
SAP Commerce Cloud was impacted by vulnerabilities in its included version of Apache Tomcat, as detailed in Note 3566851. These vulnerabilities exposed the application to a Denial of Service (DoS) attack (CVE-2024-38286) and unchecked error conditions (CVE-2024-52316) that could potentially lead to an authentication bypass. SAP provided updates that include a non-vulnerable version of Apache Tomcat to resolve these issues.
How Was SAP Approuter Vulnerable to Authentication Bypass?
Note 3567974 details an authentication bypass vulnerability in SAP Approuter that could be exploited through code injection. The vulnerability affected all SAP Approuter deployments in the BTP environment, allowing an unauthenticated attacker to potentially steal a victim’s session. SAP recommends that all customers update their deployments to version 16.7.2 or higher to mitigate the risk.
What Was the Update to the S/4HANA Authentication Check Note?
Note 3483344, which addresses a missing authentication check, was updated for specific components in S/4HANA that support PDCE. The affected components, including S4CORE, S4COREOP, and SEM-BW, were vulnerable, and the update provides the necessary corrections.
Frequently Asked Questions (FAQ)
What was the most critical SAP vulnerability patched in March 2025?
The most critical vulnerability was a high-risk missing authorization check in SAP NetWeaver AS ABAP (Note 3563927), which could lead to an escalation of privileges.
Which SAP products were affected by open-source vulnerabilities?
SAP Commerce and SAP Commerce Cloud were affected by vulnerabilities in open-source components. SAP Commerce had an XSS flaw from an included library, while SAP Commerce Cloud was exposed to risks from a vulnerable version of Apache Tomcat.
What action is recommended for the SAP Approuter vulnerability?
For the authentication bypass vulnerability in SAP Approuter (Note 3567974), SAP recommends updating all deployments to version 16.7.2 or higher.