SAP has released its September 2025 Security Patch Day fixes, addressing 21 new vulnerabilities and issuing 5 updates to previously published security notes, including several rated critical. According to SAP’s official advisory, these flaws impact widely used products such as SAP NetWeaver, SAP Business One, S/4HANA, and SAP Commerce Cloud, putting global enterprises at risk if patches are not applied immediately.
Among the most serious vulnerabilities are:
- CVE-2025-42944 – Insecure Deserialization in SAP NetWeaver (RMI-P4), rated CVSS 10.0 (Critical). This flaw could allow remote code execution, giving attackers full control over targeted systems.
- CVE-2025-42922 – Insecure File Operations in SAP NetWeaver AS Java (Deploy Web Service), rated 9.9 (Critical). Successful exploitation could enable attackers to manipulate sensitive files or inject malicious code.
- CVE-2023-27500 – An updated note on Directory Traversal in SAP NetWeaver AS for ABAP and ABAP Platform, rated 9.6 (Critical), highlighting the persistence of risks in older platforms still running in production.
- CVE-2025-42958 – Missing Authentication in SAP NetWeaver Kernel, rated 9.1 (Critical), which could allow unauthorized access to core business applications.
These vulnerabilities hit at the heart of enterprise resource planning (ERP) systems, which handle finance, logistics, HR, and supply chains across industries. Exploitation could result in data breaches, service outages, or even manipulation of business transactions.
Global and Regional Impact
SAP powers thousands of businesses worldwide, including governments, banks, telecoms, and energy companies. For enterprises in the Middle East and Africa, where SAP plays a key role in oil & gas, aviation, and government digitization projects, delayed patching could expose critical national infrastructure to attackers.
Cybercriminals are increasingly exploiting unpatched SAP systems, often using them as entry points for ransomware campaigns or to exfiltrate sensitive financial data. In fact, threat intelligence reports suggest that attackers monitor SAP patch releases closely to weaponize new CVEs within weeks.
Expert Take
Security analysts stress that the window between patch release and exploitation is shrinking. “With CVSS 10.0 vulnerabilities on SAP NetWeaver, organizations cannot afford delays,” said a senior ERP security consultant. “Attackers know that patching SAP is complex and slow in large enterprises, which gives them an opening.”
What Security Teams Should Do Now
To mitigate risks, SAP customers should prioritize immediate patching and strengthen monitoring of their SAP landscapes.
10 Recommended Actions for Security Teams
- Apply all September 2025 SAP patches without delay, focusing first on CVSS 9.0+ vulnerabilities.
- Isolate critical SAP systems from the internet where possible to reduce attack exposure.
- Enable strict input validation and runtime checks for NetWeaver and ABAP components.
- Review access controls to prevent abuse of missing authentication and authorization flaws.
- Patch third-party dependencies (e.g., outdated JSON libraries and OpenSSL) used in SAP applications.
- Implement continuous monitoring for abnormal SAP transaction patterns.
- Use intrusion detection rules targeting exploitation attempts of CVE-2025-42944 and CVE-2025-42922.
- Strengthen staff training and awareness.
- Run regular vulnerability scans of SAP environments, focusing on both production and test systems.
- Develop a rapid incident response playbook for potential SAP exploitation scenarios.
Why This Matters for Business Leaders
This isn’t just an IT problem. With SAP at the core of financial operations, HR, and supply chains, unpatched vulnerabilities can directly translate into financial losses, compliance violations, and reputational damage. In regions like MEA, where large-scale digital transformation projects rely heavily on SAP, timely patching is critical to maintaining business trust.
Conclusion
SAP’s September 2025 Patch Day underscores the constant race between attackers and defenders. With 26 vulnerabilities addressed, including multiple critical flaws in NetWeaver and S/4HANA, organizations must treat this as a high-priority security event. Delaying patching could leave vital business systems exposed to exploitation.
