SAP’s March 2025 Patch Day: 24 Security Fixes with XSS and Authorization Drama!

Hot Take:

Well, SAP seems to have taken a page from the Oprah Winfrey playbook: “You get a patch, you get a patch, everyone gets a patch!” In their latest security update, SAP is not holding back, doling out fixes like candy on Halloween. But fear not, dear SAP users, these patches are more about securing your systems than rotting your teeth. So, buckle up, as we dive into the patch parade, where SAP is playing the hero in this cybersecurity saga.

Key Points:

• SAP released 21 new and three updated security notes in March 2025.
• Five high-priority security notes address critical vulnerabilities in Commerce, NetWeaver, and Commerce Cloud.
• The most severe issues have a CVSS score of 8.8, involving XSS and missing authorization checks.
• Patches were also issued for Apache Tomcat vulnerabilities in Commerce Cloud.
• 15 medium and five low-priority security notes tackle a range of issues in various SAP products.

Patch-palooza: The SAP Edition

SAP has unleashed a torrent of patches, 21 new and three updated security notes to be precise, in a bid to fortify its software fortress. It’s like watching an episode of a home makeover show, but with fewer paint swatches and more cybersecurity jargon. Among these notes, five have been marked with a high-priority label, akin to the golden tickets of the patch world. These notes tackle vulnerabilities that could make even the most stoic IT professional break into a sweat.

High Stakes: Vulnerabilities in the Spotlight

In the spotlight of this security drama are CVE-2025-27434 and CVE-2025-26661, both commanding a CVSS score of 8.8. Think of these vulnerabilities as the divas of the cybersecurity world, demanding attention and immediate action. The XSS bug in Commerce, courtesy of the Swagger UI library, is the kind of issue that makes you want to double-check every input field like you’re defusing a bomb in a spy movie. Meanwhile, the missing authorization check in NetWeaver discovered in transaction SA38 is the digital equivalent of leaving your front door wide open while shouting, “Come on in, everyone!”

Cloudy with a Chance of Patches

Commerce Cloud didn’t escape the patch party either, with SAP addressing two high-severity bugs in Apache Tomcat. These vulnerabilities were the cybersecurity equivalent of leaving your car unlocked with the keys in the ignition. By resolving these, SAP is ensuring that customers’ cloud environments are less like a Wild West saloon and more like Fort Knox.

Medium and Low Priority: The Understudies

As if the high-priority notes weren’t enough, SAP also rolled out 15 medium-priority and five low-priority security notes. These updates may not have the same headline-grabbing allure as their high-priority counterparts, but they’re the unsung heroes, quietly ensuring that the SAP ecosystem doesn’t crumble like a house of cards. From Business One to Fiori apps, each note plays a crucial role in maintaining order in the complex ballet of enterprise software.

Spring into Action

Among the low-priority notes, one stands out with a CVSS score of 0.0, which is about as exciting as watching paint dry. However, it provides best practice information about custom Java applications in SAP BTP implemented with the Spring Framework. It’s the kind of note that every developer needs to read while sipping their morning coffee, ensuring that the Spring Boot Activator doesn’t inadvertently open floodgates to potential vulnerabilities.

In conclusion, SAP’s latest patch day is a testament to the ever-evolving landscape of cybersecurity. With new threats emerging faster than you can say “buffer overflow,” companies like SAP are stepping up to keep their users safe. So, here’s to the unsung heroes of the IT world who patch our digital lives, ensuring that we can continue to share cat memes without fear of cyber doom. Until next time, stay patched, stay secure!