Organizations should prioritize these Security Notes by accessing the Support Portal and applying patches without delay to maintain a hardened SAP landscape.
This month’s patch cycle addresses four critical issues, all rated CVSS 9.0 or above.
The most severe is an insecure deserialization flaw in SAP NetWeaver (RMI-P4) that carries a CVSS score of 10.0 and allows unauthenticated remote code execution.
Another critical note fixes an insecure file operations vulnerability in SAP NetWeaver AS Java, also enabling remote attack vectors with a 9.9 score.
Two additional critical updates remedy a directory traversal bug in NetWeaver AS for ABAP (CVSS 9.6) and a missing authentication check in core NetWeaver (CVSS 9.1).
Exploiting any of these could lead to complete system compromise, data exfiltration, or administrative takeover.
| Note# | CVE | Title | Priority | CVSS |
|---|---|---|---|---|
| 3634501 | CVE-2025-42944 | Insecure Deserialization in SAP NetWeaver (RMI-P4) | Critical | 10.0 |
| 3643865 | CVE-2025-42922 | Insecure File Operations in SAP NetWeaver AS Java (Deploy Web Service) | Critical | 9.9 |
| 3302162* | CVE-2023-27500 | Directory Traversal in SAP NetWeaver AS for ABAP | Critical | 9.6 |
| 3627373 | CVE-2025-42958 | Missing Authentication Check in SAP NetWeaver | Critical | 9.1 |
*Update to Security Note released on March 2023 Patch Day.
Beyond the critical flaws, SAP released patches for eleven high-severity, six medium-severity, and two low-severity issues.
High-severity fixes include input validation gaps in SAP Business One SLD and S/4HANA replication servers (CVSS 8.1–8.8). A path traversal vulnerability in Service Data Collection (CVSS 7.7) is also patched.
Medium-severity notes cover security misconfigurations in Commerce Cloud and Datahub (CVSS 6.6), denial-of-service in Business Planning and Consolidation (CVSS 6.5), and several missing authorization checks in SAP HCM and NetWeaver Application Server (CVSS 5.0–6.5).
Low-severity updates address reverse tabnabbing in Fiori Launchpad (CVSS 3.5) and an outdated OpenSSL disclosure in Adobe Document Service (CVSS 3.4), plus a 2024 Commerce Cloud resource release flaw (CVSS 3.1).
Organizations should adopt a risk-based approach: patch all critical issues first, followed by high-severity vulnerabilities within their change window, then medium and low as part of routine maintenance.
Maintaining an up-to-date patch posture is vital to defend against automated exploits and targeted attacks.
SAP customers are advised to monitor the Support Portal for any further updates or extended notes related to these vulnerabilities.
Regular patching, combined with network segmentation and least-privilege access controls, will significantly reduce exposure and protect business-critical processes.
Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates
The post SAP Releases Security Updates Addressing 21 Vulnerabilities, 4 Critical appeared first on Cyber Security News.
The casting search for the next actor to play James Bond is officially underway. Amazon…
I can think of few activities I'd enjoy more than playing a video game on…
The list of nominees for the 2026 Will Eisner Comic Industry Awards has been revealed.…
A newly uncovered malware framework is raising serious alarms across the cybersecurity community. Researchers have…
A widely used JavaScript inter-process communication library has been weaponized again. Socket and Stepsecurity have…
Security researchers at Calif, a Palo Alto-based cybersecurity firm, have used techniques derived from an…
This website uses cookies.