The enterprise software vendor bundled 25 security patches into its March update, addressing flaws that impact middleware, interfaces, custom apps, and more.
SAP has patched high-severity vulnerabilities in its Commerce and NetWeaver enterprise software packages.
The updates came as part of 25 security patches released on Tuesday for the latest edition of SAP’s monthly patch release cycle.
SAP Security Note #3563927 addresses a critical vulnerability in transaction SA38 SAP NetWeaver Application Server ABAP. If successfully exploited, the vulnerability (tracked as CVE-2025-26661) grants access to Class Builder functions that ought to be restricted to the ABAP Development Workbench.
The vulnerability scores 8.8 on the CVSS scale, well toward the critical end of the spectrum.
SAP NetWeaver Application Server ABAP (AS ABAP) is a middleware component in SAP’s software stack that acts as a foundation for many SAP applications. The technology ties together user interaction and desktop component integration (presentation layer), ABAP application servers and message servers (application layer), and databases.
ABAP is SAP’s proprietary language.
SAP Security Note #3569602 covers a cross-site scripting (XSS) vulnerability in SAP Commerce, stemming from security bugs in the open-source library swagger-ui bundled with the widely used middleware.
Tracked as CVE-2025-27434, the flawed explore feature of Swagger UI creates a potential mechanism for an unauthenticated attacker to inject malicious code from remote sources through a DOM-based XSS attack. Any potential victim would first need to be tricked into placing a malicious payload into an input field, potentially via social engineering trickery.
If successful, attackers would be able to breach the confidentiality, integrity, and availability of the application — earning the vulnerability a high CVSS score of 8.8.
Enterprises are advised to promptly triage the vulnerability or, at minimum, remove any use of swagger-ui in SAP Commerce or block access to Swagger consoles as work-arounds to block potential exploitation.
Another update, SAP Security Note #3566851, tagged with a CVSS score of 8.6, involves a denial of service (DoS) and an unchecked error condition vulnerability in SAP Commerce Cloud.
The same update patches Apache Tomcat, a platform for hosting Java-based web applications, implementing Java Servlet and JavaServer Pages (JSP) specifications, to offer a catch-up on vulnerabilities first discovered last year (CVE-2024-38286 and CVE-2024-52316).
Additional SAP patches of note
Missing authorization checks in SAP PDCE FIN-BA (CVE-2024-39592, with a CVSS score of 7.7) are covered in another security update (SAP Security #3483344).
Enterprises that have deployed custom Java applications in SAP BTP implemented using the Spring Framework are advised to review SAP Security #3576540, an advisory that offers best practice guidance.
“Developers often use the Spring Boot Activator, a tool exposing various URL endpoints that offer real-time application data, aiding in debugging and monitoring,” explains a blog post by enterprise application security specialists Onapsis. “However, without proper security measures, these endpoints can introduce serious vulnerabilities.”
The note lists the affected endpoints in detail and describes detailed conditions for affected applications.
Another bulletin, SAP Security Note #3567974, contains updated guidance about a vulnerability in SAP App Router addressed by the ERP software vendor last month.
The remainder of SAP’s March patch batch address “medium” and “low” impact flaws, as summarized in Onapsis’ blog post.
A full run down on SAP’s patches can be found on the vendor’s website.
Long viewed as an opaque black box, attackers are increasingly targeting enterprise systems from SAP, research unveiled at last year’s Black Hat conference revealed.
The release of SAP’s patches coincided with updates from Microsoft, VMware, and others.
