Basisnerd

SAP basis, Troubleshooting, basisnerd

Security Patch

[High] 202509 SAP Security Patches

By Z_NERD #High, #S4CORE, #SecurityPatch

In September 2025, there are 4 high-priority security notes.

These notes require the following actions: upgrading software components or implementing the notes.

For more information about SAP Security Patches, follow the link: SAP Security Patch Day – September 2025

3642961 – [CVE-2025-42933] Insecure Storage of Sensitive Information in SAP Business One (SLD)

  • Priority: High
  • CVSS: 8.8
  • Product: SAP Business One (SLD)
  • Version: B1_ON_HANA, SAP-M-BO

Issue

When a user logs in via SAP Business One native client, the SLD backend service fails to enforce proper encryption of certain APIs.

Solution

Implement the Support Packages and Patches mentioned in this note. see, SAP Note – 3642961.

  • Patch the component: SAP BUSINESS ONE 10.0
  • Patch the component: SAP B1 10.0 FOR SAP HANA

References

3642961 – [CVE-2025-42933] Insecure Storage of Sensitive Information in SAP Business One (SLD)

3633002 – [CVE-2025-42929] Missing input validation vulnerability in SAP Landscape Transformation Replication Server

  • Priority: High
  • CVSS: 8.1
  • Product: SAP Landscape Transformation Replication Server
  • Version: DMIS

Issue

Due to missing input validation, an attacker with high privilege access to ABAP reports could delete the content of arbitrary database tables, if the tables are not protected by an authorization group.

Solution

Implement the Correction Instructions or Support Packages Patches referenced in the security note.

  • Patch the component: DMIS 2011_1_700 – DMIS 2020

References

3633002 – [CVE-2025-42929] Missing input validation vulnerability in SAP Landscape Transformation Replication Server

3635475 – [CVE-2025-42916] Missing input validation vulnerability in SAP S/4HANA (Private Cloud or On-Premise)

  • Priority: High
  • CVSS: 8.1
  • Product: SAP S/4 HANA (Private Cloud or On-Premise)
  • Version: S4CORE 102 – 108

Issue

Due to missing input validation, an attacker with high privilege access to ABAP reports could delete the content of arbitrary database tables, if the tables are not protected by an authorization group.

Solution

The issue is fixed by removing the obsolete and outdated code.

Implement the Correction Instructions or Support Packages Patches referenced in the security note.

  • Patch the component: S4CORE 102 – 108

References

3635475 – [CVE-2025-42916] Missing input validation vulnerability in SAP S/4HANA (Private Cloud or On-Premise)

3581811 – [CVE-2025-27428] Directory Traversal vulnerability in SAP NetWeaver and ABAP Platform (Service Data Collection)

  • Priority: High
  • CVSS: 7.7
  • Product: SAP Netweaver, ABAP Platform
  • Version: ST-PI 2008_1_700 – 710; ST-PI 740

Issue

Due to directory traversal vulnerability, an authorized attacker could gain access to some critical information by using RFC enabled function module.

Solution

Implement the Correction Instructions or Support Packages Patches referenced in the security note.

  • Patch the component: ST-PI 2008_1_700 – 710; ST-PI 740

References

3581811 – [CVE-2025-27428] Directory Traversal vulnerability in SAP NetWeaver and ABAP Platform (Service Data Collection)

By Z_NERD

Tech Stack #SAP Basis (2023~), SAP HANA, Oracle, Linux, AIX, basic ABAP

Leave a Reply

Your email address will not be published. Required fields are marked *