SAP Security Notes: September 2025 Patch Day Analysis

Security Notes

September Patch Day: Key Highlights and a Critical Warning

SAP has published twenty-five new and updated SAP Security Notes in its September Patch Day, including four HotNews Notes and four High Priority Notes. Seven of the twenty-one new Security Notes were published in contribution with the Onapsis Research Labs.

This month’s SAP Patch Day delivered a busy set of critical and high-priority notes. Here is a brief rundown of the key highlights from our analysis:

Key Highlights from Our September 2025 Analysis

  • September Summary Twenty-five new and updated SAP security patches released, including four HotNews Notes and four High Priority Notes
  • SAP NW AS Java Two critical HotNews SAP Security Notes released
  • Onapsis Research Labs Contribution Our team supported SAP in patching seven vulnerabilities, covered by two HotNews and five Medium Priority SAP Security Notes

HotNews Notes: Analyzing Critical Vulnerabilities

The Onapsis Research Labs (ORL) supported SAP in patching two critical vulnerabilities in SAP NetWeaver AS Java.

SAP Security Note #3634501, tagged with the highest possible CVSS score of 10.0, patches an Insecure Deserialization vulnerability in the RMI-P4 module of an AS Java. The vulnerability allows an unauthenticated attacker to execute arbitrary OS commands by submitting malicious payload to an open port. A successful exploit can lead to full compromise of the application. As a temporary workaround, customers should add P4 port filtering at the ICM level to prevent unknown hosts from connecting to the P4 port. 

SAP Security Note #3643865, tagged with a CVSS score of 9.9, addresses an Insecure File Operations vulnerability in SAP NetWeaver AS Java. The ORL team detected a service flaw that allows an attacker, authenticated as a non-administrative user, to upload arbitrary files. On file execution, the system can be fully compromised.

The third new HotNews Note is SAP Security Note #3627373, tagged with a CVSS score of 9.1. The note patches a Missing Authentication Check in SAP NetWeaver applications running on IBM i-series. High privileged unauthorized users are able to read, modify, or delete sensitive information, as well as access administrative or privileged functionalities.

SAP HotNews Note #3302162, tagged with a CVSS score of 9.6, was initially released in March 2023 and patches a Directory Traversal vulnerability in SAP NetWeaver AS ABAP. The note was updated with additional correction instructions.

A Closer Look at High Priority Vulnerabilities

SAP Security Note #3642961, tagged with a CVSS score of 8.8, patches an Insecure Storage of Sensitive Information vulnerability in the System Landscape Directory backend service of SAP Business One. Due to a lack of proper encryption of some APIs, sensitive credentials could be exposed within the HTTP response body resulting in a high impact on the confidentiality, integrity, and availability of the application.    

SAP S/4HANA (Private Cloud or On-Premise) is affected by High Priority SAP Security Note #3635475, tagged with a CVSS score of 8.1. An ABAP report of the application allows the deletion of arbitrary tables, that are not protected by an authorization group, leading to a high impact on integrity and availability of the database.

SAP Security Note #3633002 patches the same vulnerability in SAP Landscape Transformation Replication Server.

SAP Security Note #3581811 was initially released in April 2025. The note is tagged with a CVSS score of 7.7 and patches a Directory Traversal vulnerability in SAP NetWeaver and ABAP Platform (Service Data Collection). The note has been re-released with updated correction instructions.

Onapsis Research Labs’ Contributions

In addition to the two vulnerabilities in SAP NetWeaver AS Java that were patched by HotNews Notes, the ORL team supported SAP in fixing five Medium Priority vulnerabilities.

SAP Security Note #3614067, tagged with a CVSS score of 6.5, patches a Denial of Service vulnerability in SAP Business Planning and Consolidation. The ORL team identified a remote-enabled function module, whose parameters could be crafted by authenticated standard users to cause an almost infinite loop, consuming excessive resources and resulting in system unavailability. 

SAP Security Note #3629325, tagged with a CVSS score of 6.1, describes a Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver ABAP Platform. Due to insufficient encoding of URL parameters an unauthenticated attacker could generate a malicious link and make it publicly accessible. If an authenticated user clicks on this link, the injected input is processed during the website’s page generation, resulting in the creation of malicious content. When executed, this content allows the attacker to access or modify information within the victim’s browser scope, impacting the confidentiality and integrity while availability remains unaffected.

SAP Security Note #3647098, tagged with a CVSS score of 6.1, patches another XSS vulnerability in SAP Supplier Relationship Management. A possible exploit and the impact is exactly the same as for SAP Security Note  #3629325.

The ORL team identified a remote-enabled function module in SAP NetWeaver (Service Data Download) that could grant access to information about the SAP system and operating system. The vulnerability is patched with SAP Security Note #3627644, tagged with a CVSS score of 5.0, by adding a proper authorization check to the function module.  

SAP Security Note #3640477, tagged with a CVSS score of 4.3, patches a Predictable Object Identifier vulnerability in the IIOP service of SAP NetWeaver AS Java. A lack of randomness in assigning Object Identifiers in the IIOP service allows an authenticated attacker with low privileges to easily predict the identifiers. This could enable them to get access to limited system information.

Summary and Final Recommendations

With twenty-five Security Notes, including four HotNews Note and four High Priority Notes, SAP’s September Patch Day is another busy one. Special attention should be paid to the two critical HotNews Notes for SAP NetWeaver AS Java that were patched in collaboration with the Onapsis Research Labs.

SAP NoteTypeDescriptionPriorityCVSS
3634501New[CVE-2025-42944] Insecure Deserialization vulnerability in SAP Netweaver (RMI-P4)
BC-JAS-COR-RMT
HotNews10.0
3643865New[CVE-2025-42922] Insecure File Operations vulnerability in SAP NetWeaver AS Java (Deploy Web Service)
BC-JAS-DPL
HotNews9.9
3302162Update[CVE-2023-27500] Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform
BC-DOC-RIT
HotNews9.6
3627373New[CVE-2025-42958] Missing Authentication check in SAP NetWeaver
BC-OP-AS4
HotNews9.1
3642961New[CVE-2025-42933] Insecure Storage of Sensitive Information in SAP Business One (SLD)
SBO-BC-SLD
High8.8
3635475New[CVE-2025-42916] Missing input validation vulnerability in SAP S/4HANA (Private Cloud or On-Premise)
CA-DT-CNV-BAS
High8.1
3633002New[CVE-2025-42929] Missing input validation vulnerability in SAP Landscape Transformation Replication Server
CA-LT-OBT
High8.1
3581811Update[CVE-2025-27428] Directory Traversal vulnerability in SAP NetWeaver and ABAP Platform (Service Data Collection)
SV-SMG-SDD
High7.7
3620264New[CVE-2025-22228] Security Misconfiguration vulnerability in Spring security within SAP Commerce Cloud and SAP Datahub
CEC-SCC-PLA-PL
Medium6.6
3643832New[CVE-2025-42917] Missing Authorization check in SAP HCM (Approve Timesheets Fiori 2.0 application)
PA-FIO-TS
Medium6.5
3635587New[CVE-2025-42912] Missing Authorization check in SAP HCM (My Timesheet Fiori 2.0 application)
PA-FIO-TS
Medium6.5
3614067New[CVE-2025-42930] Denial of Service (DoS) vulnerability in SAP Business Planning and Consolidation
EPM-BPC-NW-SQE
Medium6.5
3611420New[CVE-2023-5072] Denial of Service (DoS) vulnerability due to outdated JSON library used in SAP BusinessObjects Business Intelligence Platform
BI-BIP-INV
Medium6.5
3629325New[CVE-2025-42938] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver ABAP Platform
CRM-BF-ML
Medium6.1
3647098New[CVE-2025-42920] Cross-Site Scripting (XSS) vulnerability in SAP Supplier Relationship Management
SRM-EBP-TEC-ITS
Medium6.1
3409013New[CVE-2025-42915] Missing Authorization Check in Fiori app (Manage Payment Blocks)
FI-FIO-AP
Medium5.4
3619465New[CVE-2025-42926] Missing Authentication check in SAP NetWeaver Application Server Java
BC-WD-JAV
Medium5.3
3627644New[CVE-2025-42911] Missing Authorization check in SAP NetWeaver (Service Data Download)
SV-SMG-SDD
Medium5.0
3610322Update[CVE-2025-42961] Missing Authorization check in SAP NetWeaver Application Server for ABAP
BC-DB-DBI
Medium4.9
3623504New[CVE-2025-42918] Missing Authorization check in SAP NetWeaver Application Server for ABAP (Background Processing)
BC-CCM-BTC
Medium4.3
3450692New[CVE-2025-42923] Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App (F4044 Manage Work Center Groups)
PP-BD-WKC
Medium4.3
3640477New[CVE-2025-42925] Predictable Object Identifier vulnerability in SAP NetWeaver AS Java (IIOP Service)
BC-JAS-COR-RMT
Medium4.3
3624943New[CVE-2025-42941] Reverse Tabnabbing vulnerability in SAP Fiori (Launchpad)
CA-FLP-FE-COR
Low3.5
3525295New[CVE-2025-42927] Information Disclosure due to Outdated OpenSSL Version in SAP NetWeaver AS Java (Adobe Document Service)
BC-SRV-FP
Low3.4
3632154New[CVE-2024-13009] Potential Improper Resource Release vulnerability in SAP Commerce Cloud
CEC-SCC-PLA-PL
Low3.1

To truly protect your SAP environment, immediate action is required. We strongly recommend that you begin by prioritizing the application of HotNews and High Priority security notes. This risk-based approach, combined with the use of SAP security automation tools, ensures you can address the most critical vulnerabilities swiftly and efficiently. Do not delay, as attackers often move quickly to exploit newly disclosed vulnerabilities.

As always, the Onapsis Research Labs is already updating The Onapsis Platform to incorporate the newly published vulnerabilities into the product so that our customers can protect their businesses.

For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, subscribe to our monthly Defender’s Monthly Newsletter .

Frequently Asked Questions

Why is a structured patch management strategy critical for SAP?

A structured patch management process is essential for reducing your attack surface, ensuring compliance, and protecting business-critical data. Beyond simply applying patches, a comprehensive strategy involves prioritizing vulnerabilities based on risk and automating processes. For a deeper understanding of these best practices, review our SAP Security Notes Overview.

How can reviewing past SAP Security Notes improve our threat intelligence?

By analyzing historical patch data, organizations can gain valuable insight into evolving threat actor tactics and the types of vulnerabilities being targeted. This proactive approach allows you to better anticipate and defend against future threats. You can access all our past monthly analysis in the SAP Patch Day blog archive.

How should we prioritize patches based on SAP and CVSS scores?

Patches should be prioritized based on risk, with HotNews (CVSS 9.0-10.0) and High Priority (CVSS 7.0-8.9) notes being addressed first due to their potential for severe impact. It’s also critical to consider factors like exploit availability and whether a vulnerable system is exposed to the internet.