Skip to main content

Updates address two critical vulnerabilities which could lead to information disclosure or privilege escalation, and fourteen others affecting multiple products

Threat ID:CC-4603
Threat Severity:Medium
Published:14 January 2025 3:22 PM

Summary

Updates address two critical vulnerabilities which could lead to information disclosure or privilege escalation, and fourteen others affecting multiple products

Affected platforms

The following platforms are known to be affected:

SAP NetWeaver Application Server

The following platforms are also known to be affected:

  • BusinessObjects Business Intelligence Platform
  • SAPSetup
  • Business Workflow and SAP Flexible Workflow
  • SAP GUI for Windows
  • SAP GUI for Java

Threat details

Introduction

SAP has released January 2025 security updates addressing multiple vulnerabilities affecting multiple product lines. Of concern are vulnerabilities affecting the SAP NetWeaver product line. SAP NetWeaver is a software stack used for many of SAP's applications. SAP NetWeaver Application Server (AS) is the runtime environment for the applications and is a requirement for all products in the mySAP Business Suite.

The below vulnerabilities affect NetWeaver AS for ABAP and ABAP Platform:

  • CVE-2025-0070 is an 'improper authentication' vulnerability with a CVSSv3 score of 9.9. If exploited, an authenticated attacker with low privileges could escalate privileges
  • CVE-2025-0066 is an 'incorrect permission assignment for critical resource' vulnerability with a CVSSv3 score of 9.9. If exploited, an authenticated attacker with low privileges could achieve information disclosure. 
  • CVE-2025-0063 is an 'improper neutralization of special elements used in an SQL command' vulnerability with a CVSSv3 score of 8.8. If exploited, an authenticated attacker with low privileges could perform SQL Injection

The security updates also address 13 further vulnerabilities affecting multiple products. 

Remediation advice

Affected organisations are encouraged to review the 'SAP Security Patch Day – January 2025' security notes and apply any relevant updates.

Definitive source of threat updates

CVE Vulnerabilities

StatusPublished
CVE-2025-0070SAP NetWeaver Application Server for ABAP and ABAP Platform allows an authenticated attacker to obtain illegitimate access to the system by exploiting improper authentication checks, resulting in privilege escalation. On successful exploitation, this can result in potential security concerns. This results in a high impact on confidentiality, integrity, and availability.
StatusPublished
CVE-2025-0066Under certain conditions SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework) allows an attacker to access restricted information due to weak access controls. This can have a significant impact on the confidentiality, integrity, and availability of an application
StatusPublished
CVE-2025-0063SAP NetWeaver AS ABAP and ABAP Platform does not check for authorization when a user executes some RFC function modules. This could lead to an attacker with basic user privileges to gain control over the data in Informix database, leading to complete compromise of confidentiality, integrity and availability.

Last edited: 14 January 2025 3:22 pm

Back to top