SAP’s September 2025 security update includes the critical Hot News note 3634501, which addresses a CVSS 10/10 insecure deserialization vulnerability in SAP NetWeaver AS Java. This flaw could allow an attacker to execute arbitrary OS commands, leading to a full compromise of the affected Java systems.
The SAP Security Notes for September 2025 are headlined by a critical CVSS 10/10 vulnerability patched by Hot News note 3634501. This flaw, an insecure deserialization in the Internet Communication Manager (ICM) of SAP NetWeaver AS Java, could lead to a complete system compromise. Another Hot News note, 3643865, addresses an unrestricted file upload vulnerability in all versions of AS Java, though patches are limited to version 7.50. For older versions, a workaround is provided via KBA 3646072. The third Hot News note, 3627373, resolves a missing authentication check affecting SAP NetWeaver on IBM i operating systems. Additionally, high-priority notes were released to fix input validation flaws in S/4HANA (3635475) and SAP Landscape Transformation (3633002) that could lead to data deletion, a directory traversal in NetWeaver (3581811), and an information disclosure in Business One (3642961).
Key Takeaways
- A critical CVSS 10/10 vulnerability in SAP NetWeaver AS Java is patched by note 3634501.
- Note 3643865 fixes an unrestricted file upload flaw in AS Java systems.
- A missing authentication check in SAP on IBM i is fixed by note 3627373.
- High-priority notes patch data deletion risks in S/4HANA and Landscape Transformation.
- Other notes address directory traversal and information disclosure vulnerabilities.
What Was the Most Critical Vulnerability in September 2025?
The most critical vulnerability is an insecure deserialization flaw in the Internet Communication Manager (ICM) of SAP NetWeaver AS Java, addressed by Hot News note 3634501. This vulnerability received the highest possible CVSS score of 10.0 because it can be exploited by an unauthenticated attacker over the network to perform arbitrary OS commands, potentially leading to a full compromise of the AS Java system. The patch enforces secure deserialization and restricts untrusted Java objects via the RMI-P4 module. Workarounds include binding the P4 listening port to authorized hosts and using an Access Control List (ACL).
What Other Hot News Notes Were Released?
Beyond the CVSS 10.0 flaw, SAP released two other Hot News notes. Note 3643865 addresses an unrestricted file upload vulnerability in SAP NetWeaver AS Java that could be exploited to execute malicious code. While all versions of AS Java are impacted, the note only provides a fix for specific support pack levels of version 7.50. For earlier versions, KBA 3646072 provides a workaround by disabling the vulnerable Deploy Web Service.
Hot News note 3627373 patches a missing authentication check in SAP NetWeaver installations on IBM i operating systems. This vulnerability does not affect installations on other operating systems. A possible workaround is to partition SAP System IDs (SIDs) into separate logical partitions (LPARs) to prevent the sharing of server resources.
Summary of September 2025 SAP Security Notes
The table below summarizes the key vulnerabilities patched in the September 2025 update.
| SAP Note | Priority / CVSS | Description | Affected Systems |
|---|---|---|---|
| 3634501 | Hot News (10.0) | Insecure deserialization in ICM | SAP NetWeaver AS Java |
| 3643865 | Hot News (9.9) | Unrestricted file upload | SAP NetWeaver AS Java |
| 3627373 | Hot News (9.1) | Missing authentication check | SAP NetWeaver on IBM i |
| 3635475 | High Priority | Input validation vulnerability | SAP S/4HANA |
| 3633002 | High Priority | Input validation vulnerability | SAP Landscape Transformation |
| 3581811 | High Priority | Directory traversal | SAP NetWeaver |
| 3642961 | High Priority | Information disclosure | SAP Business One |
What Other High-Priority Vulnerabilities Were Patched?
Several high-priority notes were also released. Notes 3635475 and 3633002 address input validation vulnerabilities in SAP S/4HANA and SAP Landscape Transformation, respectively. These flaws could be exploited to delete the contents of database tables not protected by authorization groups. Other notable high-priority fixes include note 3581811 for a directory traversal vulnerability in SAP NetWeaver and note 3642961 for an information disclosure vulnerability in SAP Business One.
Frequently Asked Questions (FAQ)
What is the most critical SAP vulnerability for September 2025?
The most critical issue is an insecure deserialization vulnerability in the Internet Communication Manager (ICM) of SAP NetWeaver AS Java. Patched by Hot News note 3634501, it has a CVSS score of 10.0 and could allow for a full system compromise via arbitrary OS commands.
What should I do if my AS Java system is on an older, unmaintained version?
For the unrestricted file upload vulnerability (note 3643865), SAP has provided a workaround in Knowledge Based Article (KBA) 3646072. This involves disabling the vulnerable Deploy Web Service component by adding a startup filter, as direct patches are only for version 7.50.
Is the missing authentication vulnerability (3627373) widespread?
No, this vulnerability only affects SAP NetWeaver installations that use IBM i operating systems. A potential workaround is to partition SAP System IDs (SIDs) into separate logical partitions (LPARs) to prevent the sharing of server resources.