SAP’s September 2025 Security Patch Day delivers urgent fixes for 21 vulnerabilities across SAP products, including four critical flaws that demand immediate attention.
Organizations should prioritize these Security Notes by accessing the Support Portal and applying patches without delay to maintain a hardened SAP landscape.
Critical Vulnerabilities
This month’s patch cycle addresses four critical issues, all rated CVSS 9.0 or above.
The most severe is an insecure deserialization flaw in SAP NetWeaver (RMI-P4) that carries a CVSS score of 10.0 and allows unauthenticated remote code execution.
Another critical note fixes an insecure file operations vulnerability in SAP NetWeaver AS Java, also enabling remote attack vectors with a 9.9 score.
Two additional critical updates remedy a directory traversal bug in NetWeaver AS for ABAP (CVSS 9.6) and a missing authentication check in core NetWeaver (CVSS 9.1).
Exploiting any of these could lead to complete system compromise, data exfiltration, or administrative takeover.
| Note# | CVE | Title | Priority | CVSS |
|---|---|---|---|---|
| 3634501 | CVE-2025-42944 | Insecure Deserialization in SAP NetWeaver (RMI-P4) | Critical | 10.0 |
| 3643865 | CVE-2025-42922 | Insecure File Operations in SAP NetWeaver AS Java (Deploy Web Service) | Critical | 9.9 |
| 3302162* | CVE-2023-27500 | Directory Traversal in SAP NetWeaver AS for ABAP | Critical | 9.6 |
| 3627373 | CVE-2025-42958 | Missing Authentication Check in SAP NetWeaver | Critical | 9.1 |
*Update to Security Note released on March 2023 Patch Day.
High, Medium, and Low Findings
Beyond the critical flaws, SAP released patches for eleven high-severity, six medium-severity, and two low-severity issues.
High-severity fixes include input validation gaps in SAP Business One SLD and S/4HANA replication servers (CVSS 8.1–8.8). A path traversal vulnerability in Service Data Collection (CVSS 7.7) is also patched.
Medium-severity notes cover security misconfigurations in Commerce Cloud and Datahub (CVSS 6.6), denial-of-service in Business Planning and Consolidation (CVSS 6.5), and several missing authorization checks in SAP HCM and NetWeaver Application Server (CVSS 5.0–6.5).
Low-severity updates address reverse tabnabbing in Fiori Launchpad (CVSS 3.5) and an outdated OpenSSL disclosure in Adobe Document Service (CVSS 3.4), plus a 2024 Commerce Cloud resource release flaw (CVSS 3.1).
Organizations should adopt a risk-based approach: patch all critical issues first, followed by high-severity vulnerabilities within their change window, then medium and low as part of routine maintenance.
Maintaining an up-to-date patch posture is vital to defend against automated exploits and targeted attacks.
SAP customers are advised to monitor the Support Portal for any further updates or extended notes related to these vulnerabilities.
Regular patching, combined with network segmentation and least-privilege access controls, will significantly reduce exposure and protect business-critical processes.
Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=Organizations should prioritize these Security Notes by accessing the Support Portal and applying patches without delay to maintain a hardened SAP landscape.){kind=link}