SAP’s September 9th release brought 21 new Security Notes and 3 updates. What really stands out this month are two fresh critical flaws in the NetWeaver AS Java stack, plus the re-release of an ABAP note that many customers will remember. On top of that, several serious issues affect IBM i environments, Business One, and the S/4HANA transformation stack.
Critical SAP Vulnerabilities in September 2025
CVE-2025-42944: RMI-P4 Remote Code Execution (CVSS 10.0)
Note 3634501 describes a classic nightmare: attackers can hit the P4 interface with crafted payloads and jump straight to OS-level code execution.
Recommended Action to address CVE-2025-42944
Update to the latest SERVERCORE 7.50 patch, make sure the JVM is at least 8u121, and lock down the P4 ports in ICM until patched.
CVE-2025-42922: Deploy Web Service File Upload (CVSS 9.9)
Here, even low-privilege users can sneak in and upload executables through the Deploy Web Service (Note 3643865).
Recommended Fix for CVE-2025-42922
Patch J2EE-APPS 7.50 (SP028–SP035). If you can’t move that fast, SAP has a temporary workaround (KBA 3646072).
CVE-2023-27500: ABAP Directory Traversal (CVSS 9.6, re-release)
This one (Note 3302162) targets the SAPRSBRO program, which can be abused to overwrite OS files. Once patched, the program is disabled entirely.
Recommended Fix for CVE-2025-42922
Import the corrections or SPs without delay. System downtime is a real risk otherwise.
High Priority Notes
Not everything is “critical,” but the following still deserve rapid attention:
IBM i Kernel Auth Bypass (CVE-2025-42958, CVSS 9.1)
Note 3627373: Especially problematic in multi-SID LPAR setups. Fix comes via kernel updates.
Business One Credential Exposure (CVE-2025-42933, CVSS 8.8)
Note 3642961: The SLD backend was unintentionally spitting out DB credentials in HTTP responses. No workaround, patch and rotate DB creds now.
S/4HANA & LT Replication Deletion Bugs (CVE-2025-42916 / -42929, CVSS 8.1 each)
Notes 3635475 & 3633002: Lack of validation meant privileged users could delete arbitrary tables. Patches add checks and stronger auth group enforcement.
Other Issues (Medium and Below)
There’s a long tail of issues, most in the medium range:
- DoS flaws in BPC (3614067) and BOBJ JSON parsing (3611420).
- Missing authorization checks in HCM Timesheet apps (3635587, 3643832), allowing unwanted approvals or edits.
- XSS problems in CRM Email Mgmt (3629325) and SRM ITS (3647098).
- Fiori Launchpad reverse tabnabbing (3624943): Mostly a nuisance, already covered in UI5 ≥ 1.71.76.
- Smaller notes cover OpenSSL updates in ADS, CSRF gaps in Fiori Work Center Groups, and predictable IIOP IDs.
None of these are headline risks, but they should be rolled into the next regular patch cycle.
Severity Snapshot
- Critical (≥9.0): 2 new, 1 update
- High (8.0–8.9): 4
- Medium (4.0–7.9): 14
- Low (<4.0): 3
What to Do Now
- Java RCEs first. Get the RMI-P4 and Deploy Web Service patches in within the next 72 hours. Until then, restrict P4 ports and limit Deploy usage to admins only.
- S/4HANA and LT customers: Apply the deletion bug fixes, and double-check who can run the affected reports.
- IBM i: Roll out the kernel updates across all LPARs – this one especially hits multi-SID environments.
- Business One: Patch the SLD backend and rotate DB credentials without delay.
- Fiori and HCM: Update authorizations, apply UI5 patches, and close the auth gaps.
- Everything else: Fold the medium/low items into your next scheduled cycle.
Closing Thought
Most chatter this month is about the Java stack flaws, and rightly so, given their severity. But don’t overlook the S/4HANA/LT data deletion issues or the Business One credential exposure. Both could cause just as much damage in day-to-day business operations, even if they don’t score a perfect 10.
Pathlock Recognized in the 2025 Gartner® Market Guide for Identity Governance and Administration