SAP Security Patch Day Addresses 21 Vulnerabilities, 4 Classified As Critical

SAP’s Security Patch Day on September 9, 2025, introduced fixes for 21 newly discovered vulnerabilities across its product portfolio and provided updates to four previously released security notes.

With four issues rated as Critical, organizations running SAP environments are urged to prioritize patching to safeguard their systems from potential exploits.

This month’s release spans a variety of SAP products, from NetWeaver components and ABAP platforms to S/4HANA and Business One modules.

Four of the newly addressed vulnerabilities carry a CVSS score of 9.0 or higher, reflecting the severity and potential impact on confidentiality, integrity, and availability if left unpatched.

Additionally, SAP issued updates for four earlier security notes to refine or expand existing patches.

SAP strongly recommends that customers visit the Support Portal and apply the relevant security notes immediately.

Following secure configuration guidance is also essential to maintain a robust security posture.

Vulnerability Details

The Critical issues include insecure deserialization in SAP NetWeaver, insecure file operations in AS Java, directory traversal in ABAP platforms, and missing authentication checks in NetWeaver kernels.

High-severity flaws mostly involve missing input validation or insecure storage, affecting modules like Business One, S/4HANA replication, and SAP Landscape Transformation servers.

Medium-rated vulnerabilities cover misconfigurations, cross-site scripting, and missing authorization checks in HCM Fiori apps, Commerce Cloud, and Business Planning modules.

Two Low-rated flaws address reverse tabnabbing in Fiori launchpads and outdated OpenSSL in Adobe Document Services, alongside a historical vulnerability in Commerce Cloud.

Below is a consolidated table listing each security note, associated CVE identifier(s), product, version, priority, and CVSS score.

CVE(s)	Title	Priority	CVSS
CVE-2025-42944	Insecure Deserialization	Critical	10.0
CVE-2025-42922	Insecure File Operations	Critical	9.9
CVE-2023-27500	Directory Traversal	Critical	9.6
CVE-2025-42958	Missing Authentication check	Critical	9.1
CVE-2025-42933	Insecure Storage of Sensitive Information	High	8.8
CVE-2025-42929	Missing input validation	High	8.1
CVE-2025-42916	Missing input validation	High	8.1
CVE-2025-27428	Directory Traversal	High	7.7
CVE-2025-22228	Security Misconfiguration	Medium	6.6
CVE-2025-42930	Denial of Service	Medium	6.5
CVE-2025-42912, 42913, 42914	Missing Authorization check	Medium	6.5
CVE-2025-42917	Missing Authorization check	Medium	6.5
CVE-2023-5072	Denial of Service (outdated JSON library)	Medium	6.5
CVE-2025-42920	Cross-Site Scripting	Medium	6.1
CVE-2025-42938	Cross-Site Scripting	Medium	6.1
CVE-2025-42915	Missing Authorization Check	Medium	5.4
CVE-2025-42926	Missing Authentication check	Medium	5.3
CVE-2025-42911	Missing Authorization check	Medium	5.0
CVE-2025-42961	Missing Authorization check	Medium	4.9
CVE-2025-42925	Predictable Object Identifier	Medium	4.3
CVE-2025-42923	Cross-Site Request Forgery	Medium	4.3
CVE-2025-42918	Missing Authorization check	Medium	4.3
CVE-2025-42941	Reverse Tabnabbing	Low	3.5
CVE-2025-42927	Information Disclosure (Outdated OpenSSL)	Low	3.4
CVE-2024-13009	Improper Resource Release	Low	3.1

Secure configuration guidance and credits for researchers are available on the SAP Support portal. For detailed instructions and archived patch days, please refer to SAP’s official documentation.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.

Source link

Vulnerability Details

About Cybernoz