In September 2025, there are 4 critical-priority security notes.
These notes require the following actions: upgrading software components or implementing the notes.
However, for Java and dual-stack systems, a temporary workaround can be applied instead.
For more information about SAP Security Patches, follow the link: SAP Security Patch Day – September 2025
3634501 – [CVE-2025-42944] Insecure Deserialization vulnerability in SAP Netweaver (RMI-P4)
- Priority: Critical
- CVSS: 10.0
- Product: SAP Netweaver(PO, EP); SAP Netweaver AS JAVA
- Version: SERVERCORE 7.50
Issue
Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting malicious payload to an open port.
Solution
The issue is resolved by updating the affected P4-Lib component to enforce secure deserialization.
- Patch the component: J2EE ENGINE SERVERCORE 7.50.
Workaround
- If your system is already isolated on network level and P4 and P4S ports are not accessible by insecure networks, then the workaround is already in place and you can skip the below information.
- Verify that your Java systems’ P4 and P4S ports are accessible via SMICM, and identify which systems are connected through these ports.
- Make sure only trusted systems can access the P4 and P4S ports. If needed, consult your network administrator to configure the firewall to enforce security.
- You can filter client IP addresses using the ACLFILE option in the icm/server_port_<x> parameter.
References
3634501 – [CVE-2025-42944] Insecure Deserialization vulnerability in SAP Netweaver (RMI-P4)
3643865 – [CVE-2025-42922] Insecure File Operations vulnerability in SAP NetWeaver AS Java (Deploy Web Service)
- Priority: Critical
- CVSS: 9.9
- Product: SAP NetWeaver AS JAVA
- Version: J2EE-APPS 7.50
Issue
SAP NetWeaver AS Java allows an attacker authenticated as a non-administrative user to use a flaw in an available service to upload an arbitrary file.
Solution
Implement the J2EE ENGINE APPLICATIONS 7.50 component listed in “Support Package Patches” section.
- Patch the component: J2EE ENGINE APPLICATIONS 7.50.
Workaround
Add the filter using the Config Tool and the NWA Java System Properties.
- Refer to the following link for usage of the Config Tool filter: https://me.sap.com/notes/3646072/E
- Refer to the following link for adding a NWA filter to disable the ‘Deploy Web Service’ component: https://me.sap.com/notes/3646072/E
- Note: Refer to the following steps to restart java cluster (SMICM > Administration > J2EE Cluster(global) > Restart)
References
3302162 – [CVE-2023-27500] Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform
- Priority: Critical
- CVSS: 9.6
- Product: SAP NetWeaver, ABAP Platform
- Version: SAP_BASIS 700 – 757
Issue
An attacker with non-administrative authorizations can exploit a directory traversal flaw in program SAPRSBRO to over-write system files.
Solution
Implement the coding corrections, or apply the Support package (or a higher version) mentioned in this note. see, SAP Note – 3302162.
- SAP_BASIS 700 – 757
References
3627373 – [CVE-2025-42958] Missing Authentication check in SAP NetWeaver
- Priority: Critical
- CVSS: 9.1
- Product: SAP Netweaver(IBM i-series)
- Version: KRNL64UC/NUC 7.22 – 7.53; KERNEL 7.22 – 7.54
Issue
Due to a missing authentication check in the SAP NetWeaver application on IBM i-series, the application allows high privileged unauthorized users to read, modify, or delete sensitive information, as well as access administrative or privileged functionalities.
Solution
Patch the kernel metioned in SAP Note – 3627373.
- Patch the Kernel: KRNL64NUC/UC, KERNEL
References
3627373 – [CVE-2025-42958] Missing Authentication check in SAP NetWeaver