SAP Patches High-Severity Vulnerabilities in Commerce, NetWeaver - SecurityWeek

SAP has released 21 new and three updated security notes as part of its March 2025 security patch day. The update includes five high-priority security notes addressing vulnerabilities in Commerce, NetWeaver, Commerce Cloud, Approuter, and PDCE. The most severe issues are CVE-2025-27434 and CVE-2025-26661 (both with CVSS scores of 8.8), which involve a cross-site scripting vulnerability in Commerce’s Swagger UI library and a missing authorization check in NetWeaver’s transaction SA38. The Commerce Cloud patches fix two high-severity Apache Tomcat bugs that could cause denial-of-service conditions or authentication bypasses. Additionally, SAP released 15 medium-priority security notes for various products including Business One, BusinessObjects, and S/4HANA, plus five low-priority notes including best practices for securing custom Java applications in SAP BTP implemented with Spring Framework.