SAP Critical Vulnerabilities - 20250115001

Overview

SAP released 14 new security notes during its monthly Security Patch Day. This release includes several critical and high-severity vulnerabilities affecting core SAP systems such as NetWeaver, BusinessObjects, and SAP GUI platforms.

What is vulnerable?

Product(s) Affected	Version(s)	CVE	CVSS	Severity
SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework)	SAP_BASIS 700  SAP_BASIS 701  SAP_BASIS 702 SAP_BASIS 731 SAP_BASIS 740 SAP_BASIS 750 SAP_BASIS 751 SAP_BASIS 752 SAP_BASIS 753 SAP_BASIS 754 SAP_BASIS 755 SAP_BASIS 756 SAP_BASIS 757 SAP_BASIS 758 SAP_BASIS 912 SAP_BASIS 913 SAP_BASIS 914	CVE-2025-0066	9.9	Critical
SAP NetWeaver Application Server for ABAP and ABAP Platform	KRNL64NUC 7.22 7.22EXT KRNL64UC 7.22 7.53 8.04 KERNEL 7.22 7.54 7.77 7.89 7.93 7.97 9.12 9.13 9.14	CVE-2025-0070	9.9	Critical

What has been observed?

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of 48 hours... (refer Patch Management):

• SAP Security Patch Day – January 2025: https://support.sap.com/en/my-support/knowledge-base/security-notes-news/january-2025.html

Additional References

• SecurityOnline: https://securityonline.info/critical-sap-flaws-revealed-cve-2025-0070-and-cve-2025-0066-with-cvss-9-9-demand-immediate-action/