SAP Security Patch Day – September 2025
On September 9, 2025, SAP released 21 new Security Notes as part of its monthly Security Patch Day, along with 5 updates to previously released notes. This month’s release represents a continuation of the high-severity threat landscape, featuring 4 Critical-severity vulnerabilities with CVSS scores ranging from 9.1 to 10.0, 4 High-severity issues (CVSS 7.7–8.8), 12 Medium-severity problems (CVSS 4.3–6.6), and 3 Low-severity vulnerabilities (CVSS 3.1–3.5). The focus centered on deserialization attacks, authentication bypasses, and authorization control failures, with several notes addressing flaws that could lead to a complete system compromise.
Key Highlights by Severity
Critical Priority (CVSS 10.0)
- An insecure deserialization vulnerability in SAP NetWeaver’s RMI-P4 module enables unauthenticated attackers to execute arbitrary OS commands a malicious payload to the P4 service port leading to a complete compromise of the system.
Critical Priority (CVSS 9.9)
- SAP NetWeaver AS Java’s Deploy Web Service contains an insecure file operations flaw that allows authenticated non-administrative users to upload and execute arbitrary files, potentially leading to a full system compromise.
Critical Priority (CVSS 9.6)
- An updated directory traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform (originally from March 2023) allows attackers with non-administrative privileges to overwrite critical OS files, making systems unavailable.
Critical Priority (CVSS 9.1)
- A missing authentication check in SAP NetWeaver specifically affects IBM i-series implementations with multiple SAP system IDs in one logical partition, allowing high-privileged unauthorized users to access administrative functionalities.
High Priority (CVSS 8.8)
- SAP Business One’s SLD fails to properly encrypt sensitive credentials in HTTP response bodies during native client authentication, exposing database passwords and other critical information.
High Priority (CVSS 8.1)
- Two separate missing input validation vulnerabilities affect SAP Landscape Transformation Replication Server and SAP S/4HANA, both enabling high-privilege users to delete arbitrary database table contents when tables lack authorization group properly protection.
High Priority (CVSS 7.7)
- A directory traversal flaw in SAP NetWeaver’s Service Data Collection component allows authorized attackers to read files from any managed system connected to SAP Solution Manager through RFC-enabled function modules.
Key Affected Components
SAP NetWeaver (Multiple Components): 8 security notes affecting various modules including RMI-P4, AS Java, ABAP Platform, and Application Server components, highlighting persistent infrastructure vulnerabilities across the platform.
SAP S/4HANA: 3 security notes targeting core functions including missing input validation and authorization checks, demonstrating continued risks in enterprise resource planning systems.
SAP Business Applications: 4 security notes affecting Business One, HCM applications, Business Planning and Consolidation, and Commerce Cloud, emphasizing client-facing and business process vulnerabilities.
SAP Fiori and UI Components: 3 security notes addressing authorization bypasses, cross-site request forgery, and reverse tabnabbing in various Fiori applications and launchpad components.
Other Enterprise Components: Notes spanning Supplier Relationship Management, BusinessObjects Business Intelligence Platform, and Adobe Document Services, showing the breadth of the SAP ecosystem’s security challenges.
Notable Trends
1. Deserialization Dominance:
The month’s most severe vulnerability involves insecure deserialization with a perfect CVSS 10.0 score, representing the ultimate threat level for unauthenticated remote code execution.
2. Authentication and Authorization Crisis:
Over 40% of vulnerabilities stem from missing authentication checks or authorization bypasses, indicating systemic challenges in SAP’s access management across multiple product lines.
3. Update Pattern Intensification:
5 updates to previous notes from March, April, July, and August releases show ongoing refinements to critical fixes, including two critical vulnerabilities that received post-release updates.
4. NetWeaver Infrastructure Focus:
Eight notes specifically target NetWeaver components, underscoring the platform’s role as a primary attack surface requiring comprehensive security attention.
5. Multi-Platform Exposure:
Vulnerabilities span from core ABAP systems to Java applications and client interfaces, demanding coordinated patching strategies across heterogeneous SAP landscapes.
6. Legacy and Modern Integration:
Several notes address both current and legacy components, highlighting the security complexity of maintaining mixed-version SAP environments.
The botton line
September’s SAP Security Patch Day highlights a high-threat environment requiring immediate action across all SAP landscapes. Organizations should prioritize patching the four critical vulnerabilities, including the CVSS 10.0 deserialization flaw in RMI-P4 and critical NetWeaver AS Java/ABAP components.
Enhanced monitoring for unusual access patterns, a review of authorization structures, and readiness measures such as network segmentation, access logging, and backup verification are essential to mitigate risks from missing authentication and authorization checks.
The combination of new critical vulnerabilities, post-release updates, and broad exposure of core NetWeaver components underscores that traditional perimeter defenses alone may not be sufficient. Effective SAP security requires coordinated patching and proactive monitoring across heterogeneous systems, including both legacy and modern components.
Staying ahead of these threats demands a proactive approach. Vicxer’s SAP security experts provide tailored vulnerability management and real-time threat monitoring to protect your critical business systems. Contact us today to implement advanced SAP security defenses and ensure your environment remains secure.
At Vicxer, our SAP security experts streamline vulnerability management with real-time monitoring and tailored remediation strategies. Safeguard your landscape against evolving threats. Contact us today to fortify your SAP environment.
You must be logged in to post a comment.