SAP released 19 new and two updated security notes in its February 2025 Patch Day, addressing high-severity vulnerabilities in NetWeaver, BusinessObjects, Supplier Relationship Management, Approuter, Enterprise Project Connection, and HANA. The most critical flaw (CVE-2025-0064, CVSS 8.7) allows attackers to impersonate users in BusinessObjects. Other key fixes include a path traversal flaw in Supplier Relationship Management (CVE-2025-25243, CVSS 8.6) and an authentication bypass in Approuter (CVE-2025-24876, CVSS 8.1). Medium-severity patches were also issued for Commerce Cloud, GUI for Windows, and other SAP products. While no active exploitation has been reported, organizations are urged to apply patches promptly to mitigate risks.

‍