Overview
SAP’s security patch day for September 2025 has seen the release of 26 OSS SAP security notes. Four notes have been classified as critical, four as high, sixteen as medium and two  as low based on CVSS v3.0 Rating.
September 2025: Security Notes by CVSS v3 Base score
Four notes have been released for:
- SAP NetWeaver AS Java
Three notes have been released for:
- SAP Solution Manager
Two notes have been released:
- SAP HCM / S/4HANA HCM
- SAP BusinessObjects BI Platform
- SAP Cloud for Customer
Single notes have been released for:
- SAP NetWeaver
- SAP LT
- SAP BPC for NetWeaver
- SAP Business One (SLD)
- SAP ERP / S/4HANA PP
- SAP CRM (Lead Mgmt)
- SAP DBSL / DB Connectivity Layer
- SAP SRM (ITS Integration)
- SAP LT Replication Server
- SAP on IBM AS/400 (iSeries)
- S/4HANA Finance
- SAP NetWeaver Basis
- SAP Gateway / Fiori Timesheet
September 2025: Security Notes by Product Category
Vulnerabilities: September 2025 Highlights
[CVE-2025-42918] Missing Authorization check in SAP NetWeaver Application Server for ABAP (SAP Note 3623504Â )
SAP NetWeaver Application Server for ABAP allows authenticated users with access to background processing to gain unauthorized read access to profile parameters. This results in a low impact on confidentiality, with no impact on integrity or availability.
 [CVE-2025-31331] Authorization Bypass vulnerability in SAP NetWeaver (SAP Note 3577131)
SAP NetWeaver allows an attacker to bypass authorization checks, enabling them to view portions of ABAP code that would normally require additional validation. Once logged into the ABAP system, the attacker can run a specific transaction that exposes sensitive system code without proper authorization. This vulnerability compromises the confidentiality.
[CVE-2025-42911] Missing Authorization check in SAP NetWeaver (Service Data Download) (SAP Note 3627644)
SAP NetWeaver (Service Data Download) allows an authenticated user to call a remote-enabled function module, which could grant access to information about the SAP system and operating system. This leads to a low impact on confidentiality, with no effect on the integrity and availability of the application
[CVE-2025-27428] Directory Traversal vulnerability in SAP NetWeaver and ABAP Platform (Service Data Collection) (SAP Note 3581811)
Due to directory traversal vulnerability, an authorized attacker could gain access to some critical information by using RFC enabled function module. Upon successful exploitation, they could read files from any managed system connected to SAP Solution Manager, leading to high impact on confidentiality. There is no impact on integrity or availability.
About this Review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.
