SAP Security Patch Day – September 2025
Chapters
Share Article
Let's Talk SAP Security
Have questions about SAP Security? We’re here to help. Contact Us
As the summer holiday season winds down, many people are returning to their routines, but SAP security threats never take time off. This September’s SAP Security Patch Day, SAP has issued 25 Security Notes (including updates to existing notes), continuing the recent trend of high patch volumes. This underscores the critical importance of SAP security and highlights the need to automate patch day tasks.
Yet, for most SAP landscapes, applying patches is anything but straightforward. Complex system architectures, intertwined dependencies, and diverse components make the process both time-consuming and prone to mistakes. Missing a crucial update can happen all too easily, and the consequences can be serious.
At SecurityBridge, we understand these challenges like no other. That’s why our SecurityBridge Patch Management solution is designed to tackle them directly. It detects missing patches across your entire SAP environment, delivering comprehensive visibility, detailed impact analysis, and automated deployment capabilities. With a centralized system overview, it streamlines patching, reduces implementation times, and fortifies your SAP landscape against both current and emerging threats. If patching cannot be done immediately, improved detection via virtual patching is critical.
Security notes - September 2025
HotNews
We see four HotNews notes released on this month’s SAP Security Patch Day:
Note 3634501 addresses another deserialization vulnerability in the SAP NetWeaver Java stack. This recalls July’s patch cycle, when several similar issues were disclosed. In this case, the vulnerability specifically concerns the P4 protocol. Since this protocol is not widely known, let’s briefly explain: the P4 protocol is a proprietary SAP protocol used mainly by certain Java system clients. For example, the Integration Builder applications for SAP Process Integration rely on it. Unlike HTTP (used by browsers or standard tools), these applications connect via the P4 protocol through a separate port.
Further details:
According to the note, this protocol is vulnerable and can be exploited to execute arbitrary OS commands — all without authentication, which justifies its maximum CVSS score of 10. Patching is absolutely required. However, also consider the recommended workaround: communication over the P4 protocol is often needed by only a handful of users, or not at all. Access should be restricted at the ICM level (as the note suggests) or otherwise, and such restrictions could be made permanent.
Note 3643865 highlights a vulnerability in the Deploy Web Service on the SAP NetWeaver Java stack. It allows arbitrary file uploads to the server, leading to potential full system compromise. Any non-administrative user can exploit this. Since no workaround exists, patching is the only solution.
Note 3302162 is an older HotNews note (from 2023) that has been re-released with updated Correction Instructions. If your system matches the relevant version level, ensure you re-check and apply the updated fixes.
Note 3627373 is relevant only for ABAP systems running on IBM-i where multiple system instances (SIDs) share the same LPAR. Although the description of the vulnerability is somewhat vague, it appears to allow access across systems in this configuration. If your environment matches these conditions, update the SAP kernel as outlined in the note.
High-Priority Notes
While High-priority notes are a step below HotNews in criticality, they are still important. Four notes fall into this category:
Note 3642961 discloses a vulnerability in SAP Business One, a component not frequently patched for security issues.
Notes 3635475 and 3633002 cover nearly identical vulnerabilities where database table content can be deleted in S/4 CORE and DMIS components.
Note 3581811 (originally released in April) has updated Correction Instructions for the ST-PI component.
None of these notes provides workarounds — patching is mandatory.
Medium- and Low-Priority Notes – External Libraries
This Patch Tuesday, 16 notes fall into the Medium or Low categories. Highlights include:
Note 3620264: vulnerability in the Spring Security component affecting SAP Commerce Cloud and SAP Datahub. Resolution: update the relevant components and redeploy.
Note 3611420: vulnerability in a JSON parser.
Note 3525295: information disclosure due to an outdated OpenSSL version used by Adobe Document Service on SAP NetWeaver Java stacks.
Note 3632154: vulnerability involving outdated Jetty classes.
All of the above issues arise from third-party libraries bundled with SAP software!
SecurityBridge Findings
At SecurityBridge, we don’t just deliver a comprehensive SAP security platform — we actively contribute research to the SAP security community. Our continuous research often uncovers new vulnerabilities, which we disclose responsibly and resolve in close collaboration with SAP.
For this month’s release, we are proud to highlight our latest discovery:
Medium: Note 3623504 [CVE-2025-42918] — Missing authorization check in SAP NetWeaver Application Server for ABAP (Background Processing).
SAP Security Notes September 2025
Highlights
4 HotNews notes on the NetWeaver ABAP and Java stack. External libraries are a common cause for vulnerabilities.
Summary by Severity
The September release contains a total of 25 patches for the following severities:
| Severity | Number | Hot News | 4 |
|---|---|
High | 4 |
Medium | 14 |
Low | 3 |
| Note | Description | Severity | CVSS |
|---|---|---|---|
| 3634501 | [CVE-2025-42944] Insecure Deserialization vulnerability in SAP Netweaver (RMI-P4) Priority: HotNews Released on: 09.09.2025 Components: BC-JAS-COR-RMT Category: Program error | Hot News | 10.0 |
| 3643865 | [CVE-2025-42922] Insecure File Operations vulnerability in SAP NetWeaver AS Java (Deploy Web Service) Priority: HotNews Released on: 09.09.2025 Components: BC-JAS-DPL Category: Program error | Hot News | 9.9 |
| 3302162 | [CVE-2023-27500] Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform Priority: HotNews Released on: 14.03.2023 Components: BC-DOC-RIT Category: Program error | Hot News | 9.6 |
| 3627373 | [CVE-2025-42958] Missing Authentication check in SAP NetWeaver Priority: HotNews Released on: 09.09.2025 Components: BC-OP-AS4 Category: Program error | Hot News | 9.1 |
| 3642961 | [CVE-2025-42933] Insecure Storage of Sensitive Information in SAP Business One (SLD) Priority: Correction with high priority Released on: 09.09.2025 Components: SBO-BC-SLD Category: Program error | High | 8.8 |
| 3635475 | [CVE-2025-42916] Missing input validation vulnerability in SAP S/4HANA (Private Cloud or On-Premise) Priority: Correction with high priority Released on: 09.09.2025 Components: CA-DT-CNV-BAS Category: Program error | High | 8.1 |
| 3633002 | [CVE-2025-42929] Missing input validation vulnerability in SAP Landscape Transformation Replication Server Priority: Correction with high priority Released on: 09.09.2025 Components: CA-LT-OBT Category: Program error | High | 8.1 |
| 3581811 | [CVE-2025-27428] Directory Traversal vulnerability in SAP NetWeaver and ABAP Platform (Service Data Collection) Priority: Correction with high priority Released on: 08.04.2025 Components: SV-SMG-SDD Category: Program error | High | 7.7 |
| 3620264 | [CVE-2025-22228] Security Misconfiguration vulnerability in Spring security within SAP Commerce Cloud and SAP Datahub Priority: Correction with medium priority Released on: 09.09.2025 Components: CEC-SCC-PLA-PL Category: Program error | Medium | 6.6 |
| 3635587 | [CVE-2025-42912] Missing Authorization check in SAP HCM (My Timesheet Fiori 2.0 application) Priority: Correction with medium priority Released on: 09.09.2025 Components: PA-FIO-TS Category: Program error | Medium | 6.5 |
| 3643832 | [CVE-2025-42917] Missing Authorization check in SAP HCM (Approve Timesheets Fiori 2.0 application) Priority: Correction with medium priority Released on: 09.09.2025 Components: PA-FIO-TS Category: Program error | Medium | 6.5 |
| 3611420 | [CVE-2023-5072] Denial of Service (DoS) vulnerability due to outdated JSON library used in SAP BusinessObjects Business Intelligence Platform Priority: Correction with medium priority Released on: 09.09.2025 Components: BI-BIP-INV Category: Program error | Medium | 6.5 |
| 3614067 | [CVE-2025-42930] Denial of Service (DoS) vulnerability in SAP Business Planning and Consolidation Priority: Correction with medium priority Released on: 09.09.2025 Components: EPM-BPC-NW-SQE Category: Program error | Medium | 6.5 |
| 3647098 | [CVE-2025-42920] Cross-Site Scripting (XSS) vulnerability in SAP Supplier Relationship Management Priority: Correction with medium priority Released on: 09.09.2025 Components: SRM-EBP-TEC-ITS Category: Program error | Medium | 6.1 |
| 3629325 | [CVE-2025-42938] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver ABAP Platform Priority: Correction with medium priority Released on: 09.09.2025 Components: CRM-BF-ML Category: Program error | Medium | 6.1 |
| 3409013 | [CVE-2025-42915] Missing Authorization Check in Fiori app (Manage Payment Blocks) Priority: Correction with medium priority Released on: 09.09.2025 Components: FI-FIO-AP Category: Program error | Medium | 5.4 |
| 3619465 | [CVE-2025-42926] Missing Authentication check in SAP NetWeaver Application Server Java Priority: Correction with medium priority Released on: 09.09.2025 Components: BC-WD-JAV Category: Program error | Medium | 5.3 |
| 3627644 | [CVE-2025-42911] Missing Authorization check in SAP NetWeaver (Service Data Download) Priority: Correction with medium priority Released on: 09.09.2025 Components: SV-SMG-SDD Category: Program error | Medium | 5.0 |
| 3610322 | [CVE-2025-42961] Missing Authorization check in SAP NetWeaver Application Server for ABAP Priority: Correction with medium priority Released on: 08.07.2025 Components: BC-DB-DBI Category: Program error | Medium | 4.9 |
| 3450692 | [CVE-2025-42923] Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App (F4044 Manage Work Center Groups) Priority: Correction with medium priority Released on: 09.09.2025 Components: PP-BD-WKC Category: Program error | Medium | 4.3 |
| 3623504 | [CVE-2025-42918] Missing Authorization check in SAP NetWeaver Application Server for ABAP (Background Processing) Priority: Correction with medium priority Released on: 09.09.2025 Components: BC-CCM-BTC Category: Program error | Medium | 4.3 |
| 3640477 | [CVE-2025-42925] Predictable Object Identifier vulnerability in SAP NetWeaver AS Java (IIOP Service) Priority: Correction with medium priority Released on: 09.09.2025 Components: BC-JAS-COR-RMT Category: Program error | Medium | 4.3 |
| 3624943 | [CVE-2025-42941] Reverse Tabnabbing vulnerability in SAP Fiori (Launchpad) Priority: Correction with low priority Released on: 12.08.2025 Components: CA-FLP-FE-COR Category: Program error | Low | 3.5 |
| 3525295 | [CVE-2025-42927] Information Disclosure due to Outdated OpenSSL Version in SAP NetWeaver AS Java (Adobe Document Service) Priority: Correction with low priority Released on: 09.09.2025 Components: BC-SRV-FP Category: Release planning information | Low | 3.4 |
| 3632154 | [CVE-2024-13009] Potential Improper Resource Release vulnerability in SAP Commerce Cloud Priority: Correction with low priority Released on: 09.09.2025 Components: CEC-SCC-PLA-PL Category: Program error | Low | 3.1 |
