SAP Security Notes, September 2025

Inprosec through its services, such as the SAP Security Assessment, helps its customers to improve the security levels of their SAP systems.

September 2025 Notes

Monthly Summary and Highlights

Full details

The complete detail of the most relevant notes is as follows:

1. Insecure Deserialization vulnerability in SAP Netweaver (RMI-P4) (3634501): In SAP NetWeaver, an unauthenticated attacker could exploit a deserialization vulnerability in the RMI-P4 module by sending malicious payloads to an open port. This insecure deserialization of untrusted Java objects could allow arbitrary OS command execution, severely impacting confidentiality, integrity, and availability. SAP resolved the issue by updating the affected P4-Lib component to enforce secure deserialization and restrict untrusted object acceptance. Customers must implement the patches specified in the note, ensuring that the JVM version is greater than Java 8 u121, and review dependency guidance to avoid incompatibilities. If patches cannot be applied immediately, administrators can mitigate risk by filtering the P4 port at the ICM level, allowing only trusted hosts and blocking all others. This workaround should only be used temporarily until the official fix is applied, after which it can be rolled back. CVSS v3 Base Score 10/ 10 [CVE-2025-42944]
2. Insecure File Operations vulnerability in SAP NetWeaver AS Java (Deploy Web Service)(3643865): In SAP NetWeaver AS Java, an attacker authenticated as a non-administrative user could exploit a flaw in an available service to upload arbitrary files, which if executed could result in full system compromise, affecting confidentiality, integrity, and availability. SAP resolved this issue by restricting access to the vulnerable web service exclusively to administrative users. A temporary workaround is available and described in KBA 3646072. It should only be used if patches cannot be immediately applied and must be assessed for applicability to the specific SAP landscape. SAP strongly recommends applying the permanent fix as soon as possible. CVSS v3 Base Score 9,9/ 10 [CVE-2025-42922]
3. Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform (update) (3302162): In SAP, a directory traversal vulnerability in program SAPRSBRO allows an attacker with non-administrative authorizations to overwrite system files. While no data can be read, critical OS files may be replaced, leading to system unavailability. In the current version (v11, 9th September 2025), the note was re-released with updated Correction Instruction information. To resolve the issue, customers must implement the referenced Support Package or apply the attached coding corrections, which disable execution of the vulnerable program. For further details, SAP Note 3311360 provides additional guidance. CVSS v3 Base Score 9,6/ 10  [CVE-2023-27500]
4.  Missing Authentication check in SAP NetWeaver (3627373): In SAP NetWeaver on IBM i-series, a missing authentication check allows highly privileged unauthorized users to read, modify, or delete sensitive information, as well as access administrative functions, severely impacting confidentiality, integrity, and availability. Systems are affected when multiple SAP system IDs (SIDs) are configured in one logical partition (LPAR). SAP resolved the issue by enforcing proper access restrictions and limiting SAP user profile rights. The fix is delivered via updated kernel patch levels (hotfix ILE.SAR or SP Stack Kernel files SAPEXE.SAR and SAPEXEDB.SAR). Customers should apply the latest available SP Stack Kernel or hotfix as recommended in the note and related kernel guidance. No workaround is available; applying the kernel patch is mandatory. CVSS v3 Base Score 9,1/ 10 [CVE-2025-42958]
5. Insecure Storage of Sensitive Information in SAP Business One (SLD) (3642961): In SAP Business One, when a user logs in via the native client, the SLD backend service failed to properly encrypt certain APIs, resulting in exposure of sensitive credentials in the HTTP response body. This flaw could compromise confidentiality, integrity, and availability of the application. SAP fixed the issue by enhancing the SLD service logic to securely encrypt the database password in responses. Customers must implement the referenced Support Packages and Patches to mitigate the risk. There is no workaround. CVSS v3 Base Score 8,8/ 10  [CVE-2025-42933]
6. Missing input validation vulnerability in SAP Landscape Transformation Replication Server (3633002): In SAP, missing input validation allows an attacker with high privilege access to ABAP reports to delete the content of arbitrary database tables if they are not protected by an authorization group. This vulnerability severely impacts database integrity and availability. SAP resolved the issue by removing obsolete and outdated code. Customers must apply the Correction Instructions or Support Packages referenced in the note. CVSS v3 Base Score 8,1/ 10  [CVE-2025-42929]
    
7. Missing input validation vulnerability in SAP S/4HANA (Private Cloud or On-Premise) (3635475): In SAP, missing input validation in ABAP reports allows an attacker with high privilege access to delete the content of arbitrary database tables that are not protected by an authorization group. This vulnerability affects database integrity and availability, though confidentiality is not impacted. SAP resolved the issue by removing obsolete and outdated code. Customers must apply the Correction Instructions or Support Packages specified in the note. No workaround is available; the official fix must be applied. CVSS v3 Base Score 8,1/ 10  [CVE-2025-42916]
    
8. Directory Traversal vulnerability in SAP NetWeaver and ABAP Platform (Service Data Collection) (update) (3581811): In SAP Solution Manager, a directory traversal vulnerability in an RFC-enabled function module allows an authorized attacker to read files from any managed system, potentially exposing critical information and impacting confidentiality, though integrity and availability are unaffected. In the current version (v8, 9th September 2025), the note was re-released with updated Correction Instructions. SAP fixed the issue by enforcing proper path checks in the Service Data Collection function module to prevent arbitrary file reads. Customers must implement the referenced Correction Instructions or Support Packages. No workaround is available; applying the correction is required. CVSS v3 Base Score 7,7/ 10  [CVE-2025-27428]

Reference links

Other references, from SAP and Onapsis (september):

SAP Security Patch Day – September 2025

SAP Patch Day: September 2025 – Onapsis

Resources affected