SAP September 2025 Patch Day Fixes Critical Flaws in NetWeaver
SAP has released a total of 21 new security notes and four updated ones as part of its September Patch Day, addressing critical vulnerabilities in its NetWeaver platform. Among these, four notes specifically target high-severity flaws that enable Remote Code Execution (RCE) and privilege escalation.
NetWeaver Vulnerabilities Addressed by SAP
In a press release, SAP revealed the patches for two critical NetWeaver AS Java vulnerabilities. Note #3634501 addresses an insecure deserialization issue in the RMI-P4 module, tracked as CVE-2025-42944 (CVSS score of 10.0). This vulnerability allows an unauthenticated attacker to execute arbitrary OS commands by submitting malicious payloads to an open port. A successful exploit can lead to full compromise of the application.
The advisory published by Onapsis Research Labs notes that customers should add P4 port filtering at the ICM level to prevent unknown hosts from connecting to the P4 port as a temporary workaround for this vulnerability. The second NetWeaver AS Java vulnerability addressed by SAP is Note #3643865, which fixes an insecure file operations flaw tracked as CVE-2025-42922 (CVSS score of CVSS 9.9). This vulnerability risks full system compromise if non-admin users can upload and execute arbitrary files.
Additional Security Notes Address High, Medium, and Low-Severity Flaws
SAP has released a total of 21 security notes this September Patch Day, addressing high, medium, and low-severity issues. Among these is the HotNews Note #3302162, which fixes a Directory Traversal flaw in NetWeaver AS ABAP (CVSS score of 9.6). Released in March 2023, it's now updated with new fixes.
The fourth HotNews issued by SAP addressed a missing authentication check tracked as CVE-2025-42958 (CVSS score 9.1) in SAP NetWeaver BC-OP-AS4. The remaining security notes resolve high, medium-, and low-severity issues, although it's unclear if any of these vulnerabilities are being exploited in attacks in the wild.
Stay Informed with Security Alerts
If you're concerned about the latest SAP NetWeaver security vulnerabilities, follow me on Twitter (@securityaffairs) for regular updates and alerts on hacking threats. You can also find us on Facebook and Mastodon (SecurityAffairs – hacking, SAP NetWeaver flaw). Stay secure!