SAP’s May 2025 security advisories feature a critical zero-day vulnerability in SAP NetWeaver AS Java, alongside high-priority patches for S/4HANA and SAP Supplier Relationship Management (SRM). The most urgent update, hot news note 3594142, addresses a missing authorization check that is under active exploitation.
This month’s security notes require immediate attention from administrators to mitigate significant risks. The primary concern is CVE-2025-31324, a critical zero-day vulnerability in the Visual Composer component of SAP NetWeaver AS Java. This flaw allows for a full compromise of affected systems and should be patched immediately. Additionally, a separate note addresses a dangerous code injection vulnerability in S/4HANA that could allow attackers to replace standard ABAP programs. Other high-priority notes patch multiple vulnerabilities in SAP SRM, including XXE and Cross-Site Scripting, and resolve missing authorization checks in SAP Landscape Transformation and SAP PDCE. Applying these patches promptly is crucial for protecting mission-critical SAP systems from potential exploitation.
Key Takeaways
- Apply hot news note 3594142 immediately to patch the critical zero-day vulnerability (CVE-2025-31324) in SAP NetWeaver AS Java.
- Implement note 3604119 to fix a related deserialization vulnerability in Visual Composer.
- Deploy note 3600859 to disable a vulnerable function module in S/4HANA that allows for program replacement.
- Patch multiple vulnerabilities in SAP SRM, including XXE and XSS, by applying note 3578900.
- Address high-priority authorization flaws in SAP Landscape Transformation and SAP PDCE with notes 3591978 and 3483344.
What is the Critical Zero-Day Vulnerability (CVE-2025-31324)?
Hot news note 3594142 patches a critical missing authorization check in the Visual Composer’s development server on SAP NetWeaver Application Server Java (AS Java). This vulnerability is identified as CVE-2025-31324, a zero-day flaw discovered and reported by ReliaQuest on April 22. The note provides a correction for AS Java version 7.50. For older, unmaintained versions, KBA 3593336 details workarounds, with the primary recommendation being the complete removal of the Visual Composer Metadata Uploader application. Alternatively, access can be restricted using an ACL in the ICM or network firewall rules.
What Other Vulnerabilities Affect Visual Composer?
Note 3604119 addresses a separate deserialization vulnerability in the Visual Composer. It is recommended to apply this note regardless of whether note 3594142 has already been implemented to ensure comprehensive protection.
What is the S/4HANA Program Replacement Vulnerability?
Note 3600859 disables a vulnerable remote-enabled function module in S/4HANA. This function module is not used by standard SAP processes but could be exploited by attackers to replace SAP programs, including standard ABAP programs. After the correction is applied, any calls to this function module will result in a dump.
What Vulnerabilities Were Patched in SAP SRM?
Note 3578900 addresses multiple vulnerabilities within SAP Supplier Relationship Management (SRM) that stem from a deprecated Java Applet used by SRM Live Auction. The patched vulnerabilities include blind XML External Entity (XXE), reflected Cross-Site Scripting (XSS), and information disclosure.
What Other High-Priority Notes Were Released?
Two other high-priority notes were released to address missing authorization checks. Note 3591978 provides corrections for SAP Landscape Transformation, and note 3483344 patches a similar vulnerability in SAP PDCE.
Frequently Asked Questions (FAQ)
What is the most critical SAP vulnerability for May 2025?
The most critical vulnerability is CVE-2025-31324, a zero-day missing authorization check in the Visual Composer of SAP NetWeaver AS Java. It is addressed by hot news note 3594142 and has a CVSS score of 10.0.
How do I fix CVE-2025-31324?
You should apply hot news note 3594142 for supported systems (AS Java 7.50). For older systems, KBA 3593336 provides workarounds, including removing the vulnerable application or restricting access via firewall rules.
Should I apply note 3604119 if I already applied the patch for the zero-day?
Yes, note 3604119 patches a separate deserialization vulnerability in the same Visual Composer component and should be applied irrespective of the implementation status of note 3594142.