Patch Up, Lock Down: SAP Releases Latest Security Patches

The threat landscape for SAP systems is steadily growing, with ransomware and malware attacks becoming more frequent. While these attacks may not directly target SAP systems, they often affect connected systems and environments. For SAP customers, social engineering and credential compromise attacks are particularly worrisome, as they can expose sensitive data within SAP systems if successful. As a result, addressing system vulnerabilities has become a top priority for SAP users.

In 2024 SAPinsider report on cybersecurity, unpatched systems emerged as the leading cybersecurity threat to SAP environments. While unpatched systems, ransomware, and credential compromise remain the top concerns, the urgency of applying patches has gained more prominence in recent years. This is because delayed patching leaves systems exposed to exploitation, data theft, malicious code injection, and unauthorized access.

Security patches are essential to protect the platform from vulnerabilities that could be exploited by malicious actors, leading to data theft, operational disruptions, or compliance violations. SAP NetWeaver, a technology platform that serves as the foundation for many SAP applications, is a prime target for attacks. Especially for the NetWeaver platform, patching addresses weaknesses that could allow unauthorized access, code injection, or privilege escalation, safeguarding sensitive information and ensuring system integrity. Neglecting security patches to such systems leaves systems exposed to exploits, operational inefficiencies, and potential data breaches, highlighting the need for a proactive patch management strategy.

SAP has released 14 new security notes in its January 2025 Patch Day, addressing several critical vulnerabilities. Two high-severity issues in NetWeaver AS for ABAP and ABAP Platform, CVE-2025-0070 and CVE-2025-0066, both with a CVSS score of 9.9, were highlighted. CVE-2025-0070 is an improper authentication flaw that could let attackers steal credentials and impersonate internal systems, compromising confidentiality, integrity, and availability. CVE-2025-0066 is an information disclosure vulnerability that could expose plaintext credentials used for system communication. A high-severity SQL injection vulnerability in NetWeaver, CVE-2025-0063, with a CVSS score of 8.8, was also patched, along with two bugs in the BusinessObjects Business Intelligence platform and a DLL hijacking flaw in SAPSetup. The remaining notes address medium- and low-severity issues in various SAP components.

What this means for SAPinsiders

Establish a Robust Patching Program: Regularly update SAP systems and solutions by creating a clear policy for system and security patching. This should include designated times for applying routine and high-priority updates. Conduct routine audits to identify vulnerabilities and prioritize patch management to reduce risks.

Evaluate and Upgrade Technologies: Perform a thorough inventory of existing tools to identify obsolete systems or untapped capabilities. Invest in emerging technologies and make cybersecurity a budgetary priority to proactively address evolving threats.

Integrate SAP Security into a Holistic Cybersecurity Plan: Treat SAP as a critical system and ensure IT and security teams collaborate through cross-training. This will enhance mutual understanding, strengthen integration, and build a comprehensive cybersecurity strategy.