SAP Patches Critical Flaws in NetWeaver, Approuter, and Commerce Cloud
Three SAP products used by thousands of businesses worldwide carried serious security holes. Patches are now available, and anyone running the affected software should move fast.

Key points
- SAP released security fixes in 2025 for critical vulnerabilities, meaning severe software flaws, affecting NetWeaver, Approuter, and Commerce Cloud.
- The flaws could let attackers read and alter business data, knock systems offline, or manipulate web traffic between servers and users.
- SAP NetWeaver is one of the most widely deployed enterprise platforms on the planet, running core business processes at major corporations and government agencies.
- No public evidence of active exploitation has been confirmed at the time of writing, but critical SAP flaws attract attention quickly.
SAP, the German software giant whose products run payroll, supply chains, and finance systems at roughly 90 percent of the Fortune 500, has patched a set of critical vulnerabilities across three of its major products. SecurityWeek first reported the disclosures.
The affected products are SAP NetWeaver (the core integration platform that connects SAP applications), SAP Approuter (a service that manages how web requests are routed to the right application), and SAP Commerce Cloud (the company's e-commerce platform used by retailers and manufacturers).
The flaws are serious. According to SAP's advisories, an attacker who exploits them could access sensitive data without permission, change that data, make systems unavailable, and cause request-response desynchronization, where the software confuses one user's web session with another's, potentially exposing private information across accounts.
What does this mean for ordinary people?
If your employer, bank, or favourite retailer runs SAP software and hasn't applied these patches, criminals could potentially reach internal business records or disrupt the services you depend on. You wouldn't necessarily know it was happening. The practical risk to individuals is indirect: your data sits inside systems these products protect.
For IT teams and system administrators, the action is clear. Check your SAP landscape against the patched versions listed in the official SAP Security Notes, published through the SAP Support Portal. Apply the patches. Prioritise NetWeaver given its central role connecting other systems.
SAP pushes its security patches on the second Tuesday of each month, a cycle known as SAP Patch Day. Missing even one cycle on a critical fix is a material risk when the affected product handles payroll or customer orders.
No specific CVE numbers with public NVD entries were available at publication time. This article will be updated when CVE IDs are confirmed. CVSS scores (a 0-to-10 rating system for flaw severity) for the critical issues are expected to sit at 9.0 or above, consistent with past SAP critical disclosures.
The researcher or team credited with finding these specific bugs had not been publicly named in available materials at time of writing.
If you run SAP products: patch now, check your access logs for unusual data queries, and verify that your SAP systems are not directly reachable from the public internet without strong authentication controls in place.



