SAP Warns of High-Risk Code Injection Vulnerabilities, Issues Urgent Patches

SAP has issued an urgent call for action, releasing critical security patches for several of its core products. The updates address three high-risk code injection vulnerabilities, among other security gaps, and should be prioritized by companies, particularly those with internet-facing systems processing sensitive data.

The latest SAP Security Patch Day, held on August 12, 2025, brought to light three critical code injection vulnerabilities. These affect core SAP products and pose a significant threat to enterprise environments. SAP strongly advises obtaining the patches via the Support Portal, with immediate attention given to the three critical security gaps.

Notable updates include fixes for SAP GUI for Windows and the SAP Cloud Connector. Additionally, two new critical security vulnerabilities were identified: CVE-2025-42957 affecting SAP S/4HANA and CVE-2025-42950 affecting SAP Landscape Transformation. These vulnerabilities can be exploited with minimal effort and without user interaction, making them attractive targets for cybercriminals.

SAP has also readdressed a previously known code injection vulnerability in S/4HANA (CVE-2025-27429) with an update. The current patch cycle addresses a range of vulnerabilities with varying severity in several SAP products, including cross-site scripting (XSS) vulnerabilities, authorization bypass issues, and information disclosure vulnerabilities. In total, SAP published 15 new security advisories and updated 4 existing ones.

SAP's latest security updates underscore the importance of prompt action in protecting enterprise environments. Security teams are advised to treat the current patch cycle as urgent and coordinate swift implementation with SAP administrators on all affected systems. Companies should prioritize patching internet-facing systems and those processing sensitive data to mitigate potential risks.