SAP Patchday September 2025 fixes more than twenty gaps – four HotNews

SAP has fixed twenty-one new vulnerabilities in the ninth edition of this year's security patchday and has classified four of the vulnerabilities as "HotNews," i.e., particularly critical. Administrators and managed service providers should react quickly.

Insecure deserialization again and again

The four HotNews relate to:

• An insecure deserialization in Netweaver RMI-P4 receives the highest score of 10.0 CVSS points (severity: critical) and the CVE ID CVE-2025-42944. The gap can be misused to inject arbitrary code.
• In SAP Netweaver AS Java, files are handled in an insecure way – CVE-2025-42922 (CVSS 9.9, critical) allows an SAP user to upload arbitrary files and execute them.
• The third HotNews is an update of a vulnerability that was already addressed in March 2023, but apparently incompletely at the time, with a CVSS rating of 9.6(critical), CVE ID CVE-2023-27500 and for SAP Netweaver AS for ABAP and ABAP Platform.
• CVE-2025-42958, a missing authentication check in SAP Netweaver on IBM i-series, also has a critical rating of 9.1 points. It can only be exploited by logged-in users.

There are further security patches from SAP for SAP Commerce Cloud, Datahub, HCM, BusinessObjects, Fiori and other products from the software group. At least this provides interested third parties with an overview of the fixed problems – for details and patches, however, those affected need an SAP account.

Only recently, active attacks on a critical S/4HANA vulnerability became known, while a well-known product from competitor Microsoft suffered from insecure deserialization. The “ToolShell” SharePoint exploit caused a stir last July and is still having an impact today –, for example, through a data leak at Infoniqa.

(cku)