September 2025 SAP Security Patch Day: 21 Vulnerabilities Addressed, Including 4 Critical Issues Resolved

As part of its scheduled security maintenance, SAP released its September 2025 Patch Day notes, addressing a total of 21 new vulnerabilities and providing updates to four previously released security advisories. Among the newly addressed flaws are four critical vulnerabilities that could expose SAP systems to significant risk, including remote code execution and complete system compromise. Organisations are strongly urged to apply these patches to safeguard their enterprise environments. The most severe vulnerability this month, identified as CVE-2025-42944, carries a CVSS score of 10.0, the highest possible rating. This flaw is an Insecure Deserialization vulnerability in SAP NetWeaver’s Remote Method Invocation (RMI-P4) component. A successful exploit could allow an unauthenticated remote attacker to execute arbitrary code, potentially leading to a full compromise of the affected system’s confidentiality, integrity, and availability.

Another critical issue, CVE-2025-42922, affects the SAP NetWeaver Application Server (AS) Java. This Insecure File Operations vulnerability, with a CVSS score of 9.9, allows a low-privileged attacker to perform unauthorised file operations. This could enable the attacker to read, modify, or delete sensitive system files, leading to a significant impact on the system’s security. An update was issued for a previously disclosed critical vulnerability, CVE-2023-27500, a Directory Traversal flaw in SAP NetWeaver AS for ABAP and ABAP Platform. With a CVSS score of 9.6, this vulnerability could be exploited by an attacker with low privileges to overwrite critical system files, potentially causing system-wide disruption and data corruption. The fourth critical vulnerability, CVE-2025-42958, is a Missing Authentication check in SAP NetWeaver, rated with a CVSS score of 9.1. This vulnerability could be exploited by a highly privileged attacker to bypass authentication mechanisms, granting them unauthorised access to critical functionalities and data. 

Categories: Critical Vulnerabilities, High-Priority Flaws, Security Patches 

Tags: SAP, Security, Vulnerabilities, Patch, CVE-2025-42944, Remote Code Execution, Insecure Deserialization, CVSS, Authentication, Denial of Service