What is SAP's September 2025 Security Patch Day?

SAP released its September 2025 Security Patch Day addressing 21 new vulnerabilities and updating four previously released security notes. The update patches several critical severity flaws in SAP NetWeaver and other SAP products.

What is the most critical vulnerability in SAP's September 2025 patch?

CVE-2025-42944 is the most critical vulnerability with a CVSS score of 10. It's an insecure deserialization vulnerability in SAP NetWeaver (RMI-P4) ServerCore 7.50 that allows unauthenticated attackers to achieve arbitrary operating system command execution by sending malicious Java objects through the RMI-P4 module.

What is SAP NetWeaver and why is it important?

SAP NetWeaver serves as the foundational middleware platform for SAP's business applications including ERP, CRM, SRM, and SCM systems. Its broad deployment in enterprise environments means that successful exploitation could have far-reaching consequences across corporate infrastructure.

What are the other critical vulnerabilities in the SAP September 2025 patch?

Other critical vulnerabilities include CVE-2025-42922 (CVSS 9.9) - an insecure file operations vulnerability in SAP NetWeaver AS Java Deploy Web Service, CVE-2023-27500 (CVSS 9.6) - a directory traversal vulnerability, and CVE-2025-42958 (CVSS 9.1) - a missing authentication check in SAP NetWeaver.

How does CVE-2025-42944 work and what makes it so dangerous?

CVE-2025-42944 affects SAP NetWeaver's Remote Method Invocation (RMI-P4) component. Attackers can send malicious Java objects through the RMI-P4 module to an open port to achieve remote code execution. The P4 port may be inadvertently exposed to wider networks due to firewall misconfigurations, making it particularly dangerous.

What can CVE-2025-42922 allow attackers to do?

CVE-2025-42922 is an insecure file operations flaw that enables authenticated non-administrative users to exploit the web service deployment functionality to upload arbitrary files to the system. Successful exploitation could allow attackers to achieve complete system compromise by uploading malicious files or overwriting critical system components.

Why are SAP products frequently targeted by attackers?

SAP products are frequently attacked because of their deployment in large organizations handling mission-critical data, making them high-value targets for cybercriminals seeking access to sensitive business information and systems.

Are there any Cross-Site Scripting vulnerabilities in the SAP September 2025 patch?

Yes, there are several XSS vulnerabilities including CVE-2025-42920 (CVSS 6.1) in SAP Supplier Relationship Management and CVE-2025-42938 (CVSS 6.1) in SAP NetWeaver ABAP Platform, along with other web-based vulnerabilities.

How many different SAP products are affected by this security update?

The September 2025 security update affects multiple SAP products including SAP NetWeaver, SAP S/4HANA, SAP Business One, SAP Landscape Transformation Replication Server, SAP Commerce Cloud, SAP Business Planning and Consolidation, SAP HCM, SAP BusinessObjects, and various Fiori applications.

Advisory

SAP fixes multiple critical flaws in September 2025 patch day, including maximum severity NetWeaver flaw

Q: What should SAP customers do about these vulnerabilities?

SAP strongly recommends that customers visit the Support Portal and apply patches with priority to protect their SAP landscape, particularly for the four critical vulnerabilities that could enable complete system compromise. System administrators should prioritize patching CVE-2025-42944 given its maximum severity score.

published: Sept. 9, 2025

Take action: If you run SAP systems, review the advisory to check if you are affected. First priority is NetWeaver. Make sure the RMI-P4 port is isolated from the internet and accessible only from trusted systems. Then prioritize patching NetWeaver, it's already being targeted so we know hackers love it.

Learn More

SAP has released its September 2025 Security Patch Day addressing 21 new vulnerabilities and updating to four previously released security notes. The update patches several critical severity flaws in SAP NetWeaver.

SAP NetWeaver serves as the foundational middleware platform for SAP's business applications including ERP, CRM, SRM, and SCM systems. The broad deployment of NetWeaver in enterprise environments means that successful exploitation could have far-reaching consequences across corporate infrastructure.

Vulnerabilities summary

CVE-2025-42944 (CVSS score 10) - Insecure Deserialization vulnerability in SAP Netweaver (RMI-P4), ServerCore 7.50. It's an insecure deserialization vulnerability affecting SAP NetWeaver's Remote Method Invocation (RMI-P4) component in ServerCore 7.50. The vulnerability allows unauthenticated attackers to achieve arbitrary operating system command execution by sending malicious Java objects through the RMI-P4 module to an open port. RMI-P4 serves as the Remote Method Invocation protocol used by SAP NetWeaver AS Java for internal SAP-to-SAP communication and administration purposes. The P4 port is typically intended for internal use, organizations may inadvertently expose it to wider networks or the internet due to firewall misconfigurations.
CVE-2025-42922 (CVSS score 9.9) - Insecure File Operations vulnerability in SAP NetWeaver AS Java (Deploy Web Service), J2EE-APPS 7.50. It's an insecure file operations flaw enables authenticated non-administrative users to exploit the web service deployment functionality to upload arbitrary files to the system. Successful exploitation could allow attackers to achieve complete system compromise by uploading malicious files or overwriting critical system components.
CVE-2023-27500 (CVSS score 9.6) - Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform, versions 700-757
CVE-2025-42958 (CVSS score 9.1) - Missing Authentication check in SAP NetWeaver, multiple kernel versions. It allows high-privileged users to bypass authentication mechanisms, granting them access to read, modify, or delete sensitive data and access administrative functionality.
CVE-2025-42933 (CVSS score 8.8) - Insecure Storage of Sensitive Information in SAP Business One (SLD), versions B1_ON_HANA 10.0, SAP-M-BO 10.0
CVE-2025-42929 (CVSS score 8.1) - Missing input validation vulnerability in SAP Landscape Transformation Replication Server, DMIS versions
CVE-2025-42916 (CVSS score 8.1) - Missing input validation vulnerability in SAP S/4HANA (Private Cloud or On-Premise), S4CORE 102-108
CVE-2025-27428 (CVSS score 7.7) - Directory Traversal vulnerability in SAP NetWeaver and ABAP Platform (Service Data Collection), ST-PI versions
CVE-2025-22228 (CVSS score 6.6) - Security Misconfiguration vulnerability in Spring security within SAP Commerce Cloud and SAP Datahub
CVE-2025-42930 (CVSS score 6.5) - Denial of Service (DoS) vulnerability in SAP Business Planning and Consolidation
CVE-2025-42912 (CVSS score 6.5) - Missing Authorization check in SAP HCM (My Timesheet Fiori 2.0 application), GBX01HR5 605
CVE-2025-42917 - Missing Authorization check in SAP HCM (Approve Timesheets Fiori 2.0 application), GBX01HR5 605
CVE-2023-5072 (CVSS score 6.5) - Denial of Service (DoS) vulnerability due to outdated JSON library in SAP BusinessObjects Business Intelligence Platform
CVE-2025-42920 (CVSS score 6.1) - Cross-Site Scripting (XSS) vulnerability in SAP Supplier Relationship Management, SRM_SERVER
CVE-2025-42938 (CVSS score 6.1) - Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver ABAP Platform, multiple versions
CVE-2025-42915 (CVSS score 9.1)- Missing Authorization Check in Fiori app (Manage Payment Blocks), S4CORE 107, 108 (Medium, CVSS 5.4)
CVE-2025-42926 (CVSS score 5.3) - Missing Authentication check in SAP NetWeaver Application Server Java, WD-RUNTIME 7.50
CVE-2025-42911 (CVSS score 5.0) - Missing Authorization check in SAP NetWeaver (Service Data Download), multiple SAP_BASIS versions
CVE-2025-42961 (CVSS score 4.9) - Missing Authorization check in SAP NetWeaver Application Server for ABAP, multiple SAP_BASIS versions
CVE-2025-42925 (CVSS score 4.3) - Predictable Object Identifier vulnerability in SAP NetWeaver AS Java (IIOP Service), SERVERCORE 7.50
CVE-2025-42923 (CVSS score 4.3) - Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App (F4044 Manage Work Center Groups)
CVE-2025-42918 (CVSS score 4.3) - Missing Authorization check in SAP NetWeaver Application Server for ABAP (Background Processing)
CVE-2025-42941 (CVSS score 3.5) - Reverse Tabnabbing vulnerability in SAP Fiori (Launchpad), SAP_UI 754
CVE-2025-42927 (CVSS score 3.4) - Information Disclosure due to Outdated OpenSSL Version in SAP NetWeaver AS Java (Adobe Document Service), ADSSAP 7.50
CVE-2024-13009 (CVSS score 3.1) - Potential Improper Resource Release vulnerability in SAP Commerce Cloud

SAP products are frequently attacked because of their deployment in large organizations handling mission-critical data, so the attacks are at high value targets.

The company strongly recommends that customers visit the Support Portal and apply patches with priority to protect their SAP landscape, particularly for the four critical vulnerabilities that could enable complete system compromise.

System administrators should prioritize patching the critical vulnerabilities, especially CVE-2025-42944 given its maximum severity score and potential for unauthenticated remote code execution.

SAP fixes multiple critical flaws in September 2025 patch day, including maximum severity NetWeaver flaw

Read More
Cisco Patches Actively Exploited Vulnerabilities in Catalyst SD-WAN …
CISA warns of active exploitation of critical PaperCut …
Critical vulnerability in Fortra GoAnywhere actively exploited
NVIDIA patches critical flaws in Triton AI Server
DreamBus Botnet exploits Apache RocketMQ Vulnerability to mine …