SAP has released its September 2025 security patch package containing 26 security notes addressing critical vulnerabilities across enterprise SAP environments. This release includes four HotNews vulnerabilities with CVSS ratings up to 10.0, four High priority issues, sixteen Medium priority fixes, and two Low priority updates. The patches affect NetWeaver AS Java, S/4HANA, SAP HCM, Business Planning and Consolidation, Commerce Cloud, and SAP Business One.
26
4
4
16
2
Executive Summary
- Critical Remote Code Execution: Four HotNews vulnerabilities including CVE-2025-42944 (CVSS 10.0) in NetWeaver RMI-P4, CVE-2025-42922 (CVSS 9.9) in Deploy Web Service, and CVE-2025-42958 (CVSS 9.1) with authentication bypass.
- High-Risk Authorization Failures: Multiple authorization bypass vulnerabilities in Business One SLD (CVSS 8.8), Landscape Transformation (CVSS 8.1), and missing input validation in S/4HANA components.
- Widespread Medium Issues: Authorization gaps in HCM Fiori apps, XSS in CRM/SRM, DoS in Business Planning, and Spring Security misconfigurations in Commerce Cloud.
Critical HotNews Vulnerabilities
Insecure Deserialization in NetWeaver RMI-P4
Missing authentication allows unauthenticated access to certain resources.
Insecure File Operations in Deploy Web Service
Authenticated attackers can manipulate file operations leading to complete system takeover across connected environments.
Directory Traversal in NetWeaver ABAP Platform
Critical directory traversal vulnerability allowing authenticated users to manipulate file systems and compromise availability.
Missing Authentication in NetWeaver
Missing authentication check allows high-privileged users to escalate across system boundaries with full impact.
High Priority Security Issues
Insecure Storage in SAP Business One SLD
Sensitive information stored insecurely allows low-privileged users to access and modify critical business data.
Input Validation Flaw in S/4HANA Private Cloud
Missing input validation in conversion components enables adjacent network attacks affecting integrity and availability.
Input Validation Gap in Landscape Transformation
Landscape Transformation Replication Server vulnerability allows high-privileged users to compromise system integrity.
Directory Traversal in Service Data Collection
Directory traversal vulnerability allows authenticated users to access sensitive files outside intended directories.
Medium Priority Vulnerabilities
Spring Security Misconfiguration in Commerce Cloud
Security misconfiguration in Spring framework within SAP Commerce Cloud and Datahub.
Missing Authorization in HCM Timesheet Apps
Missing authorization in SAP HCM Approve Timesheets Fiori 2.0 application.
DoS Vulnerability in Business Planning
Authenticated users can cause service disruption in Business Planning and Consolidation.
Outdated JSON Library in BusinessObjects BI
Outdated JSON library in BusinessObjects BI Platform can lead to denial of service.
XSS in CRM Business Framework
Cross-site scripting vulnerability in NetWeaver ABAP Platform CRM component.
XSS in Supplier Relationship Management
Cross-site scripting vulnerability requiring user interaction in SAP SRM.
Authorization Gap in Manage Payment Blocks
Missing authorization check in Fiori app for managing payment blocks.
Missing Authentication in NetWeaver AS Java
Unauthenticated remote code execution via insecure deserialization. Maximum CVSS score indicates complete system compromise without authentication.
Service Data Download Authorization Gap
Missing authorization check in NetWeaver Service Data Download component.
Authorization Bypass in ABAP Database Interface
High-privileged users can access unauthorized database information.
CSRF in Manage Work Center Groups
Cross-Site Request Forgery vulnerability in SAP Fiori Work Center Groups app.
Background Processing Authorization Gap
Missing authorization in NetWeaver ABAP background processing component.
Predictable Object ID in IIOP Service
Predictable object identifier vulnerability in NetWeaver AS Java IIOP Service.
Outdated OpenSSL in Adobe Document Service
Information disclosure due to outdated OpenSSL version in NetWeaver AS Java.
Low Priority Security Updates
Reverse Tabnabbing in Fiori Launchpad
High-privileged users could be exposed to phishing attacks via tab hijacking.
Resource Release Issue in Commerce Cloud
Potential improper resource release vulnerability in SAP Commerce Cloud.
Explore More
Critical File Upload Vulnerability in SAP NetWeaver AS Java Deploy Service — CVE-2025-42922
Critical Component: Deploy Web Service (NetWeaver AS Java) Recommendation: Immediate patching required The vulnerability allows an authenticated low-privileged user to upload and
SAP Security Patch Day – August 2025
SAP has released its August 2025 security patch package containing 19 security notes addressing critical vulnerabilities across enterprise SAP environments. This release
SAP Security Training – Why Businesses Can’t Ignore It Anymore
The moment a company decides to run its finance, logistics or human-resources data on SAP, it gains a powerhouse of efficiency –
SAP Security Patch Day – July 2025
On July 8, 2025, SAP released its monthly security updates affecting 27 components. This month includes 5 HotNews notes (CVSS ≥ 9.0)
