SAP Security Patch Day Addresses 21 Vulnerabilities, 4 Classified as Critical
Cybersecurity
On Tue, Sep 9, 2025, SAP released security patches addressing 21 new vulnerabilities within its product suite, along with updates to four previously issued security notes.
Among these, four vulnerabilities are classified as Critical. Organizations utilizing SAP systems are advised to prioritize applying these patches to mitigate potential security risks.
This security update encompasses a range of SAP products, including NetWeaver components, ABAP platforms, S/4HANA, and Business One modules.
The vulnerabilities rated as Critical have a CVSS score of 9.0 or higher, indicating a significant impact on confidentiality, integrity, and availability if not promptly addressed.
SAP also refined or expanded patches for four earlier security notes, enhancing existing security measures.
Details on the security notes and necessary updates can be accessed through the SAP Support Portal. Customers are strongly recommended to implement these updates without delay.
Vulnerability Details
The Critical vulnerabilities include issues such as insecure deserialization in SAP NetWeaver, insecure file operations in AS Java, directory traversal in ABAP platforms, and missing authentication checks in NetWeaver kernels.
High-severity vulnerabilities primarily involve missing input validation or insecure storage, impacting modules like Business One, S/4HANA replication, and SAP Landscape Transformation servers.
Medium-rated vulnerabilities involve misconfigurations, cross-site scripting, and missing authorization checks in HCM Fiori apps, Commerce Cloud, and Business Planning modules.
Low-rated vulnerabilities address reverse tabnabbing in Fiori launchpads, outdated OpenSSL in Adobe Document Services, and a historical vulnerability in Commerce Cloud.
| CVE(s) | Title | Priority | CVSS |
| CVE-2025-42944 | Insecure Deserialization | Critical | 10.0 |
| CVE-2025-42922 | Insecure File Operations | Critical | 9.9 |
| CVE-2023-27500 | Directory Traversal | Critical | 9.6 |
| CVE-2025-42958 | Missing Authentication check | Critical | 9.1 |
| CVE-2025-42933 | Insecure Storage of Sensitive Information | High | 8.8 |
| CVE-2025-42929 | Missing input validation | High | 8.1 |
| CVE-2025-42916 | Missing input validation | High | 8.1 |
| CVE-2025-27428 | Directory Traversal | High | 7.7 |
| CVE-2025-22228 | Security Misconfiguration | Medium | 6.6 |
| CVE-2025-42930 | Denial of Service | Medium | 6.5 |
| CVE-2025-42912, 42913, 42914 | Missing Authorization check | Medium | 6.5 |
| CVE-2025-42917 | Missing Authorization check | Medium | 6.5 |
| CVE-2023-5072 | Denial of Service (outdated JSON library) | Medium | 6.5 |
| CVE-2025-42920 | Cross-Site Scripting | Medium | 6.1 |
| CVE-2025-42938 | Cross-Site Scripting | Medium | 6.1 |
| CVE-2025-42915 | Missing Authorization Check | Medium | 5.4 |
| CVE-2025-42926 | Missing Authentication check | Medium | 5.3 |
| CVE-2025-42911 | Missing Authorization check | Medium | 5.0 |
| CVE-2025-42961 | Missing Authorization check | Medium | 4.9 |
| CVE-2025-42925 | Predictable Object Identifier | Medium | 4.3 |
| CVE-2025-42923 | Cross-Site Request Forgery | Medium | 4.3 |
| CVE-2025-42918 | Missing Authorization check | Medium | 4.3 |
| CVE-2025-42941 | Reverse Tabnabbing | Low | 3.5 |
| CVE-2025-42927 | Information Disclosure (Outdated OpenSSL) | Low | 3.4 |
| CVE-2024-13009 | Improper Resource Release | Low | 3.1 |
For secure configuration guidance and detailed vulnerability information, customers can consult the SAP Support portal and official documentation.
