Ethical Hacking News
SAP has released its August 2025 Patch Tuesday update, addressing 26 security vulnerabilities, including four critical zero-day flaws. The patch includes fixes for code injection vulnerabilities and authorization issues in SAP S/4HANA and Business One. SAP encourages all customers to apply the patches as soon as possible to minimize potential exposure to vulnerabilities.
SAP has released its August 2025 Patch Tuesday update to address 26 security vulnerabilities. The patch includes four critical zero-day flaws, with two having a CVSS score of 9.9. A code injection vulnerability in SAP S/4HANA (Private Cloud or On-Premise) and RFC-exposed function module of SAP Landscape Transformation's Analysis Platform have been patched. Authenticated attackers can gain DB admin rights in SAP Business One (SLD) with a CVSS score of 8.8.
SAP has released its August 2025 Patch Tuesday update, which addresses a total of 26 security vulnerabilities, including four critical zero-day flaws. The patch includes 15 new security notes and four updates to previously released patches.
Among the vulnerabilities addressed by SAP is a code injection vulnerability in SAP S/4HANA (Private Cloud or On-Premise), which has a CVSS score of 9.9. This flaw allows attackers with user privileges to inject ABAP code, bypassing checks and risking full system compromise. A similar vulnerability exists in the RFC-exposed function module of SAP Landscape Transformation's Analysis Platform, also with a CVSS score of 9.9.
Another critical vulnerability discovered is in SAP Business One (SLD), which allows authenticated attackers to use an API to gain DB admin rights, severely impacting confidentiality, integrity, and availability. This flaw has a CVSS score of 8.8.
The four critical vulnerabilities patched by SAP include:
1. Code Injection Vulnerability in SAP S/4HANA (Private Cloud or On-Premise), with a CVSS score of 9.9.
2. Code Injection Vulnerability in SAP Landscape Transformation's Analysis Platform, also with a CVSS score of 9.9.
3. Broken Authorization in SAP Business One (SLD), which allows authenticated attackers to gain DB admin rights with a CVSS score of 8.8.
4. Another critical vulnerability exists, but the details are not specified in this article.
In addition to these four critical vulnerabilities, SAP has also patched 22 non-critical vulnerabilities and provided updates to previously released patches.
This patch is part of SAP's ongoing effort to improve the security posture of its products and prevent exploitation by attackers. SAP encourages all customers to apply the patches as soon as possible to minimize potential exposure to vulnerabilities.
It is worth noting that SAP has not specified which organizations have been affected by these critical vulnerabilities, but it is likely that only a subset of SAP's customers are impacted.
Related Information:
https://www.ethicalhackingnews.com/articles/SAP-Patches-Critical-Flaws-in-August-2025-Update-Including-Four-Zero-Day-Vulnerabilities-ehn.shtml
https://securityaffairs.com/181085/uncategorized/sap-fixed-26-flaws-in-august-2025-update-including-4-critical.html
Published: Tue Aug 12 19:42:36 2025 by llama3.2 3B Q4_K_M
