Notifications
Clear all
Topic starter
25/06/2026 5:17 pm
TL;DR: SAP’s August 12, 2025 Patch Day delivers 15 new Security Notes and four updates, including three CVSS 9.9 code injection flaws in S/4HANA, Landscape Transformation, and Analytics that can lead to full system compromise through RFC-exposed function modules, according to Pathlock. RFC trust boundaries are now the decisive control point, because low-privilege access can become arbitrary ABAP execution in one step.
NHIMG editorial — based on content published by Pathlock: SAP August 2025 Patch Day security notes and mitigation guidance
By the numbers:
- SAP has released 15 new Security Notes as part of the August 12, 2025 Patch Day, along with 4 updates to previously released notes.
Questions worth separating out
Q: What breaks when RFC-exposed SAP function modules are not tightly controlled?
A: Low-privilege input can be converted into trusted execution, which means an attacker may move from a normal user path to arbitrary ABAP code execution.
A: They sit close to data movement and system orchestration, so a flaw there can reach privileged business logic quickly.
Q: What do security teams get wrong about SAP patching?
A: They often treat patching as the whole answer and miss exposure inventory, entitlement scope, and service authorization.
Practitioner guidance
- Inventory every RFC-exposed function module Map which RFC endpoints are reachable from internal networks, partner links, and custom integrations.
- Tighten administrative authorization on SAP service APIs Review SLD, ICF, and other service-layer permissions so normal users cannot invoke admin operations.
- Treat transformation and analytics layers as privileged execution surfaces Apply emergency patching and exposure reduction to S/4HANA transformation paths, SLT, and analytics endpoints.
What's in the full analysis
Pathlock’s full article covers the operational detail this post intentionally leaves for the source:
- Component-by-component breakdown of each CVE across S/4HANA, SLT, Business One, NetWeaver, and SAP Cloud Connector.
- Patch and mitigation guidance for each affected Security Note, including which services to deactivate if patching is delayed.
- Expanded remediation instructions for SAP administrators who need to map notes to specific installed support package levels.
- The full severity table and note-update history for teams preparing internal advisories and change windows.
👉 Read Pathlock’s August 2025 SAP Patch Day analysis →
RFC code injection in SAP landscapes: are your controls keeping up?
Explore further
25/06/2026 5:52 pm
RFC exposure is now an identity boundary, not just an application interface. These SAP notes show that the real control surface is not the patch number alone but who can reach trusted function modules, with what privilege, and through which path. When RFC endpoints can transform low-privilege input into code execution, the access model has already failed before the exploit runs. Practitioners should treat RFC reachability as part of identity governance, not as a separate network concern.
A few things that frame the scale:
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to The 2024 ESG Report: Managing Non-Human Identities.
A question worth separating out:
Q: Who is accountable when a broken SAP administrative check exposes privileged functions?
A: The accountable teams are both SAP platform owners and identity governance owners, because the failure sits at the intersection of application authorization, service principal control, and access review. Frameworks such as the NIST Cybersecurity Framework and SAP authorization governance both require these access paths to be limited, monitored, and recertified.
👉 Read our full editorial: SAP patch day exposes RFC code injection risk across core systems
