Breaking Down SAP Patch Day for January 2025
Meet the Authors
Key Takeaways
⇨ SAP's first Security Patch Day for 2025 revealed 14 new Security Notes, including two critical vulnerabilities in SAP NetWeaver with CVSS scores of 9.9, necessitating immediate remediation by users.
⇨ Organizations are urged to actively patch vulnerabilities and swiftly address gaps in their cybersecurity posture, particularly for applications like SAP NetWeaver that are affected by the recent vulnerabilities.
⇨ Proactive security measures are essential; leading SAP organizations should routinely review their SAP landscape for vulnerabilities, rather than waiting for Patch Day to identify and address issues.
The first SAP Security Patch Day has arrived, and SAP released its initial Security Notes for 2025, highlighting several vulnerabilities throughout the SAP product suite. January 2025 Patch Day had 14 new Security Notes – two of which were determined to be critical, with CVSS scores of 9.9.
These critical vulnerabilities affected SAP NetWeaver affecting HTTP communication scenarios. One scenario allowed a hacker to take credentials from an internal RFC communication between two servers within the same system. In the other critical vulnerability, an attacker to read decrypted, plaintext credential information within SAP NetWeaver AS for ABAP and ABAP Platform required to communicate to other systems.
SAP NetWeaver was featured in eight of the 14 total new Security Notes. Users should immediately find and remediate the issues to ensure that their SAP landscape is secure. SAP BusinessObjects, SAPSetup, SAP GUI, and SAP Business Workflow were also mentioned in the January 2025 Patch Day. Users use SAP’s Support Portal to help them find and apply patches to address these and other issues in order to better protect their SAP landscape.
Explore related questions
Address Vulnerability
Onapsis Research Labs helped SAP to develop patches for the two critical vulnerabilities, along with another medium priority note. Additionally, the team helped address some issues with remote-enabled function modules that were not checking for the appropriate authorizations that they were supposed to. If left unaddressed, a hacker would have been able to access data that should have been restricted.
For help with patching SAP vulnerabilities, many organizations rely on third parties like Onapsis to gain deeper visibility into their deployments and address any potential security issues as they arise.
What This Means for SAPinsiders
Check Affected Applications. While actively patching any potential vulnerabilities should be standard practice for SAP organizations, those who are regular users of affected applications like SAP NetWeaver should be especially vigilant and move quickly to cover
Pay Attention to Patch Day. Once vulnerabilities are publicized, organizations should move quickly to address any potential gaps that they have in their cybersecurity posture, installing patches and ensuring that all affected applications are updated. Companies that find themselves unable to go through this process in a timely and efficient manner should seek solutions that minimize the time that they are exposed to
Bolster Your Security Profile. Leading SAP organizations do not just wait for Patch Day to discover and address vulnerabilities – they are proactively reviewing their own SAP landscape for any potential issues or gaps and working to find solutions.
Premium
