GBHackers

SAP Security Patch Day Addresses 21 Vulnerabilities, 4 Classified as Critical

2 min read
Share X / Twitter LinkedIn Reddit WhatsApp


SAP’s Security Patch Day on September 9, 2025, introduced fixes for 21 newly discovered vulnerabilities across its product portfolio and provided updates to four previously released security notes.

With four issues rated as Critical, organizations running SAP environments are urged to prioritize patching to safeguard their systems from potential exploits.

This month’s release spans a variety of SAP products, from NetWeaver components and ABAP platforms to S/4HANA and Business One modules.

Four of the newly addressed vulnerabilities carry a CVSS score of 9.0 or higher, reflecting the severity and potential impact on confidentiality, integrity, and availability if left unpatched.

Additionally, SAP issued updates for four earlier security notes to refine or expand existing patches.

SAP strongly recommends that customers visit the Support Portal and apply the relevant security notes immediately.

Following secure configuration guidance is also essential to maintain a robust security posture.

Vulnerability Details

The Critical issues include insecure deserialization in SAP NetWeaver, insecure file operations in AS Java, directory traversal in ABAP platforms, and missing authentication checks in NetWeaver kernels.

High-severity flaws mostly involve missing input validation or insecure storage, affecting modules like Business One, S/4HANA replication, and SAP Landscape Transformation servers.

Medium-rated vulnerabilities cover misconfigurations, cross-site scripting, and missing authorization checks in HCM Fiori apps, Commerce Cloud, and Business Planning modules.

Two Low-rated flaws address reverse tabnabbing in Fiori launchpads and outdated OpenSSL in Adobe Document Services, alongside a historical vulnerability in Commerce Cloud.

Below is a consolidated table listing each security note, associated CVE identifier(s), product, version, priority, and CVSS score.

CVE(s)TitlePriorityCVSS
CVE-2025-42944Insecure DeserializationCritical10.0
CVE-2025-42922Insecure File OperationsCritical9.9
CVE-2023-27500Directory TraversalCritical9.6
CVE-2025-42958Missing Authentication checkCritical9.1
CVE-2025-42933Insecure Storage of Sensitive InformationHigh8.8
CVE-2025-42929Missing input validationHigh8.1
CVE-2025-42916Missing input validationHigh8.1
CVE-2025-27428Directory TraversalHigh7.7
CVE-2025-22228Security MisconfigurationMedium6.6
CVE-2025-42930Denial of ServiceMedium6.5
CVE-2025-42912, 42913, 42914Missing Authorization checkMedium6.5
CVE-2025-42917Missing Authorization checkMedium6.5
CVE-2023-5072Denial of Service (outdated JSON library)Medium6.5
CVE-2025-42920Cross-Site ScriptingMedium6.1
CVE-2025-42938Cross-Site ScriptingMedium6.1
CVE-2025-42915Missing Authorization CheckMedium5.4
CVE-2025-42926Missing Authentication checkMedium5.3
CVE-2025-42911Missing Authorization checkMedium5.0
CVE-2025-42961Missing Authorization checkMedium4.9
CVE-2025-42925Predictable Object IdentifierMedium4.3
CVE-2025-42923Cross-Site Request ForgeryMedium4.3
CVE-2025-42918Missing Authorization checkMedium4.3
CVE-2025-42941Reverse TabnabbingLow3.5
CVE-2025-42927Information Disclosure (Outdated OpenSSL)Low3.4
CVE-2024-13009Improper Resource ReleaseLow3.1

Secure configuration guidance and credits for researchers are available on the SAP Support portal. For detailed instructions and archived patch days, please refer to SAP’s official documentation.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.



Source link

Share X / Twitter LinkedIn Reddit WhatsApp

Related Articles

All GBHackers →