The September 2025 SAP Patch Tuesday brings a critical batch of security updates addressing a diverse portfolio of vulnerabilities across prominent SAP platforms, reinforcing the importance of immediate patching and vigilant system hardening.
Overview
This month’s update comprises 25 new and updated SAP Security Notes targeting core SAP technologies including SAP NetWeaver, SAP S/4HANA, SAP Business One, and SAP Commerce Cloud. Several patches address critical vulnerabilities with CVSS scores rated as high as 10.0, which could enable attackers to achieve full system compromise and cause severe operational disruption.
Critical Vulnerabilities to Watch
Among the most urgent fixes are two “HotNews” level vulnerabilities in SAP NetWeaver AS Java, discovered via responsible coordinated research efforts with Onapsis:
- CVE-2025-42944 – Insecure Deserialization (RMI-P4)
CVSS Score: 10.0
Description: This flaw allows attackers to send maliciously crafted serialized objects that get deserialized insecurely, enabling remote code execution (RCE). It affects SAP NetWeaver Application Server (AS) Java, exposing critical business processes to compromise. - CVE-2025-42922 – Insecure File Operations in Deploy Web Service
CVSS Score: 9.9
Description: A vulnerability in the Deploy Web Service of SAP NetWeaver AS Java that permits an attacker with network access to perform unauthorized file operations, leading to potential arbitrary code execution.
Another critical flaw, CVE-2025-42957, patched previously in August but still highly relevant, is a far-reaching ABAP code injection vulnerability in SAP S/4HANA. This allows low-privileged users to inject arbitrary code via RFC-exposed function modules, effectively giving them admin-level control and potential OS-level access.
- CVE-2025-42957 – SAP S/4HANA Code Injection Vulnerability
CVSS Score: 9.9
Description: This critical vulnerability enables attackers to inject and execute arbitrary ABAP code remotely, leading to full system compromise. It has been actively exploited in the wild and is highly critical for business-critical SAP environments.
Additional critical fixes include:
- CVE-2023-27500 – Directory Traversal in SAP NetWeaver AS for ABAP
CVSS Score: 9.6
Description: This vulnerability allows an attacker to traverse directories and access unauthorized files on SAP NetWeaver AS for ABAP platforms. - CVE-2025-42958 – Missing Authentication Check in SAP NetWeaver BC-OP-AS4
CVSS Score: 9.1
Description: SAP NetWeaver Business Communication missing authentication validation, which could allow unauthorized access to services. - CVE-2025-31324 – Privilege Escalation in SAP Business One
CVSS Score: 8.8
Description: An authorization flaw in SAP Business One that permits escalation of privileges due to insufficient checks on sensitive operations.
High and Medium Priority Vulnerabilities
High-severity flaws impact various SAP components with issues such as missing input validation, weak encryption, and XSS:
- Input validation errors in SAP Landscape Transformation and S/4HANA modules (CVSS 8.1) enabling injection attacks.
- Cross-site scripting (XSS) in SAP Commerce Cloud and Supplier Relationship Management (SRM) modules, allowing session hijacking and UI manipulation (CVSS ~6.1).
- Security misconfigurations and authentication weaknesses in SAP Commerce Cloud, Datahub, and Human Capital Management (HCM) modules.
What This Means for Organizations
SAP systems, especially S/4HANA landscapes, are core to enterprise operations across financial, manufacturing, healthcare, and public sectors worldwide. The critical nature of these vulnerabilities—particularly those enabling remote code execution and code injection—demands swift patch application and robust security controls to avert potentially devastating breaches.
Recommended Actions
- Patch immediately: Ensure your SAP landscape is updated with the latest security notes from September 2025, particularly focusing on patches for NetWeaver AS Java and S/4HANA ABAP modules.
- Monitor and restrict RFC interfaces: Apply tight access control to RFC-enabled services, limiting exposure of vulnerable function modules.
- Audit and review authorizations: Examine user privileges, especially regarding objects related to code execution and administration.
- Log and alert on anomalies: Deploy continuous monitoring to detect suspicious system changes, new admin users, or unexpected code insertions.
- Implement layered defenses: Segmentation, backup strategies, and SAP-specific threat detection tools strengthen your security posture.
Conclusion
September’s SAP Patch Tuesday highlights the ever-present threat landscape facing enterprise platforms, spotlighting how critical vulnerabilities—if left unpatched—can enable attackers to gain escalating control leading to severe business impact. The urgent recommendation remains clear: apply patches promptly, monitor your SAP environment diligently, and adopt comprehensive safeguarding strategies.
Staying one step ahead of attackers requires proactive maintenance, rapid response, and collaboration across security teams and SAP support channels. Keep your SAP systems secure by acting without delay on the September 2025 patches.
