SAP Patches Critical Code Injection Vulnerabilities

SAP released 20 security notes on April 2025 patch day, including three addressing critical code injection and authentication bypass flaws.

SAP on Tuesday announced the release of 18 new and two updated security notes as part of its April 2025 Security Patch Day, including three notes addressing critical-severity vulnerabilities.

The first two critical flaws, tracked as CVE-2025-27429 and CVE-2025-31330 (CVSS score of 9.9) are code injection bugs in S/4HANA (Private Cloud) and Landscape Transformation (Analysis Platform).

According to enterprise software security firm Onapsis, however, the CVEs refer to the same security defect and SAP’s patches for them disable the same remote-enabled function module in both products.

“If unpatched, the function module accepts any text as input parameter and generates an ABAP report based on this input using the INSERT REPORT statement. For a successful exploit, it only requires S_RFC authorization on the respective function module or on ...