SAP has issued vital security updates this April, addressing multiple high-risk vulnerabilities across its enterprise platforms. Among the 20 notes released on Patch Day—18 new and two updates—three stand out for their critical severity, including code injection flaws and an authentication bypass threat.
Critical Code Injection Bugs in S/4HANA and Analysis Platform
Two of the most serious issues, listed under CVE-2025-27429 and CVE-2025-31330 with CVSS scores of 9.9, are code injection flaws affecting SAP S/4HANA (Private Cloud) and the Landscape Transformation Analysis Platform.
Interestingly, security experts at Onapsis say both CVEs refer to the same underlying issue. The patches released by SAP disable a remote-enabled function module vulnerable to exploitation in both platforms.
According to Onapsis, the flaw allows attackers to inject any text input, which is then used to generate an ABAP report via the INSERT REPORT command. This can be exploited with just S_RFC authorization on the function module or its function group—making it a major risk if left unpatched.
Authentication Bypass Risk in SAP Financial Consolidation
The third critical vulnerability, tracked as CVE-2025-30016 (CVSS 9.8), impacts SAP Financial Consolidation. This bug allows an attacker to bypass authentication and impersonate an administrator without needing credentials.
Such a flaw could give cybercriminals full access to sensitive financial systems, making this a top-priority fix for SAP customers relying on Financial Consolidation tools.
High-Severity Vulnerabilities Also Addressed
SAP didn’t stop at critical issues. Five high-severity vulnerabilities were also resolved. One update fixes an improper authorization bug in the BusinessObjects Business Intelligence platform.
Other high-risk flaws include bugs in:
- NetWeaver Application Server ABAP
- Commerce Cloud
- Capital Yield Tax Management
The Commerce Cloud bug, involving a race condition in Apache Tomcat, is only exploitable under very specific conditions that aren’t enabled by default—reducing its immediate impact but still requiring a patch.
Medium and Low-Risk Bugs Fixed Across Platforms
In addition to the critical and high-risk patches, SAP also addressed:
- 10 medium-severity flaws
- 1 low-severity issue
These affected multiple components including:
- ERP BW Business Content
- BusinessObjects
- KMC WPC
- NetWeaver
- Solution Manager
- S4CORE entity
- S/4HANA
- Commerce Cloud
No Exploits Yet—But Patching Is Urgent
So far, SAP hasn’t reported any active exploitation of these vulnerabilities. However, given the critical nature of some flaws—especially those enabling admin impersonation and remote code injection—businesses are strongly urged to install the patches immediately.
Cybersecurity professionals warn that delays in patching can create openings for threat actors, particularly in high-value environments like enterprise resource planning (ERP) systems.
