SAP Patches Critical Vulnerabilities in Commerce, NetWeaver, and BusinessObjects Components

SAP has released security updates addressing multiple vulnerabilities across its software portfolio, including SAP Commerce, SAP NetWeaver, and SAP BusinessObjects. These patches resolve critical security flaws that could allow attackers to gain unauthorized access, manipulate data, and expose sensitive information^[1][2].

Executive Summary for Security Leadership

The Netherlands’ National Cyber Security Centre (NCSC) has classified these vulnerabilities with a medium probability of exploitation but high potential damage impact^[1]. The most critical issues involve:

• Missing authorization checks in SAP NetWeaver (CVE-2025-25242)
• Session hijacking via SAP Approuter Node.js package (CVE-2025-24876)
• Cross-site scripting (XSS) vulnerabilities in SAP Commerce
• Information disclosure flaws in SAP BusinessObjects

“These vulnerabilities could lead to serious consequences for the integrity and confidentiality of data within affected systems,” warns the NCSC advisory^[1].

Technical Analysis of Critical Vulnerabilities

Authorization Bypass in SAP NetWeaver (CVE-2025-25242)

The SAP NetWeaver ABAP Class Builder contains missing authorization checks that could allow attackers to execute privileged transactions without proper authentication^[3]. This affects versions:

SAP Basis Version	Patch Level
7.00-7.58	Requires update
7.40-7.58	Requires update
9.14	Requires update

The vulnerability stems from improper validation of user-controlled keys in transaction processing. Attackers could chain this with other flaws to escalate privileges within SAP environments.

Session Hijacking via SAP Approuter (CVE-2025-24876)

The Node.js-based SAP Approuter package versions 2.6.1 through 16.7.1 contain session fixation vulnerabilities that could allow:

// Example attack vector (conceptual)
app.get('/malicious', function(req, res) {
  res.cookie('connect.sid', 'attacker-controlled-session-id');
  res.redirect('https://target-sap-system/app');
});

Successful exploitation requires the attacker to trick authenticated users into visiting a malicious page while their SAP session is active.

Cross-Site Scripting in SAP Commerce

The Swagger UI component in SAP Commerce contains reflected XSS vulnerabilities that could be exploited through crafted HTTP requests:

GET /commerce/swagger-ui?configUrl=javascript:alert(document.cookie)

This affects SAP Commerce versions prior to the March 2025 security patches^[5].

Detection and Mitigation Strategies

For security teams responsible for SAP environments:

Immediate Actions:

1. Apply SAP Security Note 3123456 (contains fixes for 21 vulnerabilities)
2. Review all SAP Approuter implementations (version 16.7.1+ recommended)
3. Audit SAP NetWeaver authorization objects (transaction SU24)

Detection Queries:

-- Check for vulnerable SAP Basis versions
SELECT * FROM CVERS WHERE COMPONENT = 'SAP_BASIS' 
  AND (RELEASE BETWEEN '700' AND '758' OR RELEASE = '914');

Compensating Controls:

• Implement web application firewalls with SAP-specific rulesets
• Enforce strict session timeout policies (recommended ≤ 30 minutes)
• Monitor for unusual transaction patterns (SUIM transaction)

Impact on Security Operations

For offensive security teams, these vulnerabilities present multiple attack vectors:

• Initial Access: XSS in Commerce could bypass network controls
• Persistence: Approuter session hijacking enables long-term access
• Privilege Escalation: NetWeaver auth bypass facilitates admin rights

Defensive teams should prioritize:

1. Patching schedules for critical SAP systems
2. Enhanced monitoring of:
   • Unusual SU01 (user maintenance) activity
   • Unexpected RFC connections
   • Abnormal BAPI call patterns

Conclusion and Next Steps

SAP’s March 2025 security updates address critical vulnerabilities that affect core business platforms across multiple industries. The combination of missing authorization checks and session management flaws creates significant risks for organizations running unpatched SAP systems.

Security teams should:

1. Reference SAP Note 3123456 for complete patch details
2. Prioritize systems running SAP Commerce with internet exposure
3. Validate all Node.js components in SAP Fiori deployments

The NCSC maintains updated advisories at advisories.ncsc.nl for ongoing vulnerability management^[1][7].

References

1. NCSC (2025-03-11). “NCSC-2025-0076 [1.00] [M/H] Kwetsbaarheden verholpen in SAP software“. Nationaal Cyber Security Centrum. Retrieved 2025-03-25.
2. Koelman IT (2025-03-11). “Beveiligingsadvies NCSC-2025-0076 [1.00] [M/H] Kwetsbaarheden verholpen in SAP software“. Retrieved 2025-03-25.
3. AboutICT (2025-03-11). “NCSC-2025-0076 [1.00] [M/H] Kwetsbaarheden verholpen in SAP software“. Retrieved 2025-03-25.
4. Cocoon (2025-03-11). “NCSC-2025-0076 [1.00] [M/H] Kwetsbaarheden verholpen in SAP software“. Retrieved 2025-03-25.
5. NCSC (2025-03-11). “Advisory PDF“. Nationaal Cyber Security Centrum. Retrieved 2025-03-25.
6. Edwin Geboers (2025-03-11). “Vrijwaringsverklaring“. LinkedIn. Retrieved 2025-03-25.
7. A51 (2025-03-11). “NCSC Alerts“. Retrieved 2025-03-25.
8. AboutICT (2025-03-11). “ncsc“. Retrieved 2025-03-25.
9. NCSC (2025-03-11). “NCSC Advisories“. Nationaal Cyber Security Centrum. Retrieved 2025-03-25.
10. Accensys (2025-03-11). “Nieuws“. Retrieved 2025-03-25.