As part of its scheduled security maintenance, SAP released its September 2025 Patch Day notes, addressing a total of 21 new vulnerabilities and providing updates to four previously released security advisories.
Among the newly addressed flaws are four critical vulnerabilities that could expose SAP systems to significant risk, including remote code execution and complete system compromise.
Organizations are strongly urged to apply these patches to safeguard their enterprise environments.
Critical Vulnerabilities Patched
This month’s most severe vulnerability, identified as CVE-2025-42944, carries a CVSS score of 10.0, the highest possible rating.
This flaw is an Insecure Deserialization vulnerability in SAP NetWeaver’s Remote Method Invocation (RMI-P4) component.
A successful exploit could allow an unauthenticated remote attacker to execute arbitrary code, potentially leading to a full compromise of the affected system’s confidentiality, integrity, and availability.
Another critical issue, CVE-2025-42922, affects the SAP NetWeaver Application Server (AS) Java. This Insecure File Operations vulnerability, with a CVSS score of 9.9, allows a low-privileged attacker to perform unauthorized file operations.
This could enable the attacker to read, modify, or delete sensitive system files, leading to a significant impact on the system’s security.
An update was issued for a previously disclosed critical vulnerability, CVE-2023-27500, a Directory Traversal flaw in SAP NetWeaver AS for ABAP and ABAP Platform.
With a CVSS score of 9.6, this vulnerability could be exploited by an attacker with low privileges to overwrite critical system files, potentially causing system-wide disruption and data corruption.
The fourth critical vulnerability, CVE-2025-42958, is a Missing Authentication check in SAP NetWeaver, rated with a CVSS score of 9.1.
This vulnerability could be exploited by a highly privileged attacker to bypass authentication mechanisms, granting them unauthorized access to critical functionalities and data.
High-Priority Flaws And Other Patches
In addition to the critical issues, SAP patched several high-priority vulnerabilities. These include:
- CVE-2025-42933: An Insecure Storage of Sensitive Information flaw in SAP Business One (SLD) with a CVSS score of 8.8.
- CVE-2025-42929: A Missing Input Validation vulnerability in SAP Landscape Transformation Replication Server, rated 8.1.
- CVE-2025-42916: A similar Missing Input Validation flaw in SAP S/4HANA, also with a CVSS of 8.1.
- An update to CVE-2025-27428, a Directory Traversal vulnerability in SAP NetWeaver and ABAP Platform, carrying a CVSS score of 7.7.
The remaining patches address vulnerabilities of medium and low severity, including Cross-Site Scripting (XSS), Denial of Service (DoS), and Missing Authorization checks across a range of SAP products such as SAP Commerce Cloud, SAP BusinessObjects, and several Fiori applications.
Of the 25 security notes released on SAP’s September 2025 Patch Day, 21 were new. Here is a table detailing these vulnerabilities:
| SAP Note # | CVE ID | Vulnerability Title | Affected Product | Priority | CVSS 3.0 Score |
|---|---|---|---|---|---|
| 3634501 | CVE-2025-42944 | Insecure Deserialization vulnerability in SAP Netweaver (RMI-P4) | SAP Netweaver (RMI-P4) | Critical | 10.0 |
| 3643865 | CVE-2025-42922 | Insecure File Operations vulnerability in SAP NetWeaver AS Java (Deploy Web Service) | SAP NetWeaver AS Java (Deploy Web Service) | Critical | 9.9 |
| 3627373 | CVE-2025-42958 | Missing Authentication check in SAP NetWeaver | SAP NetWeaver | Critical | 9.1 |
| 3642961 | CVE-2025-42933 | Insecure Storage of Sensitive Information in SAP Business One (SLD) | SAP Business One (SLD) | High | 8.8 |
| 3633002 | CVE-2025-42929 | Missing input validation vulnerability in SAP Landscape Transformation Replication Server | SAP Landscape Transformation Replication Server | High | 8.1 |
| 3635475 | CVE-2025-42916 | Missing input validation vulnerability in SAP S/4HANA (Private Cloud or On-Premise) | SAP S/4HANA (Private Cloud or On-Premise) | High | 8.1 |
| 3620264 | CVE-2025-22228 | Security Misconfiguration vulnerability in Spring security within SAP Commerce Cloud and SAP Datahub | SAP Commerce Cloud and SAP Datahub | Medium | 6.6 |
| 3614067 | CVE-2025-42930 | Denial of Service (DoS) vulnerability in SAP Business Planning and Consolidation | SAP Business Planning and Consolidation | Medium | 6.5 |
| 3635587 | CVE-2025-42912, CVE-2025-42913, CVE-2025-42914 | Missing Authorization check in SAP HCM (My Timesheet Fiori 2.0 application) | SAP HCM (My Timesheet Fiori 2.0 application) | Medium | 6.5 |
| 3643832 | CVE-2025-42917 | Missing Authorization check in SAP HCM (Approve Timesheets Fiori 2.0 application) | SAP HCM (Approve Timesheets Fiori 2.0 application) | Medium | 6.5 |
| 3611420 | CVE-2023-5072 | Denial of Service (DoS) vulnerability due to outdated JSON library used in SAP BusinessObjects Business Intelligence Platform | SAP BusinessObjects Business Intelligence Platform | Medium | 6.5 |
| 3647098 | CVE-2025-42920 | Cross-Site Scripting (XSS) vulnerability in SAP Supplier Relationship Management | SAP Supplier Relationship Management | Medium | 6.1 |
| 3629325 | CVE-2025-42938 | Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver ABAP Platform | SAP NetWeaver ABAP Platform | Medium | 6.1 |
| 3409013 | CVE-2025-42915 | Missing Authorization Check in Fiori app (Manage Payment Blocks) | Fiori app (Manage Payment Blocks) | Medium | 5.4 |
| 3619465 | CVE-2025-42926 | Missing Authentication check in SAP NetWeaver Application Server Java | SAP NetWeaver Application Server Java | Medium | 5.3 |
| 3627644 | CVE-2025-42911 | Missing Authorization check in SAP NetWeaver (Service Data Download) | SAP NetWeaver (Service Data Download) | Medium | 5.0 |
| 3640477 | CVE-2025-42925 | Predictable Object Identifier vulnerability in SAP NetWeaver AS Java (IIOP Service) | SAP NetWeaver AS Java (IIOP Service) | Medium | 4.3 |
| 3450692 | CVE-2025-42923 | Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App (F4044 Manage Work Center Groups) | SAP Fiori App (F4044 Manage Work Center Groups) | Medium | 4.3 |
| 3623504 | CVE-2025-42918 | Missing Authorization check in SAP NetWeaver Application Server for ABAP (Background Processing) | SAP NetWeaver Application Server for ABAP (Background Processing) | Medium | 4.3 |
| 3525295 | CVE-2025-42927 | Information Disclosure due to Outdated OpenSSL Version in SAP NetWeaver AS Java (Adobe Document Service) | SAP NetWeaver AS Java (Adobe Document Service) | Low | 3.4 |
| 3632154 | CVE-2024-13009 | Potential Improper Resource Release vulnerability in SAP Commerce Cloud | SAP Commerce Cloud | Low | 3.1 |
SAP administrators are advised to review the complete list of security notes and prioritize the application of patches, starting with the critical vulnerabilities, to protect their systems from potential exploitation.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
