SAP Patches Four Critical NetWeaver Vulnerabilities on September 2025 Patch Day
SAP has released its September 2025 Patch Day, addressing four critical vulnerabilities in its NetWeaver platform. The updates include fixes for unauthenticated remote code execution, insecure file operations, and directory traversal issues.
Among the patched vulnerabilities, Note #3634501 resolves an insecure deserialization flaw in NetWeaver AS Java (CVE-2025-42944), which allowed unauthenticated remote code execution via malicious payloads. Another critical issue, addressed by Note #3643865, involves insecure file operations in NetWeaver AS Java (CVE-2025-42922), enabling non-admin users to upload and execute arbitrary files.
Additionally, HotNews Note #3302162 updates a directory traversal flaw in NetWeaver AS ABAP (CVE-2023-27500). Note #3643865 also fixes a missing authentication check in SAP NetWeaver BC-OP-AS4 (CVE-2025-42958).
In total, SAP issued 21 new and 4 updated security notes, with the remaining ones resolving high, medium-, and low-severity issues.
SAP's September 2025 Patch Day has successfully addressed four critical vulnerabilities in its NetWeaver platform. Users are advised to apply these updates promptly to mitigate potential security risks.
