SAP Security Notes - 09/25 - Medium

We've created the first of its kind, SecurityBridge Cloud Platform, designed to prioritize SAP patches, updates, and remediation strategies that help prevent disruptions to critical business systems. Our security advisories provide SAP users with valuable insights into the security and business implications of operating SAP.

The user interface is designed to be as intuitive as possible, but we’d love to hear your feedback and suggestions.
We hope you enjoy using it!

× Hey there! Glad you made it.
We have found 10 security advices for you to review.

Severity

SAP© Security advisories 10

System Types

Affected SAP© system types

_{Related note}
3620264

_CVSS
6.6

_{Affected system
type}
SAP Commerce Cloud SAP DataHub

_Patchday
2025-09

_{Released
on}
2025/09/09

Description
[CVE-2025-22228] Security Misconfiguration vulnerability in Spring security within SAP Commerce Cloud and SAP Datahub

Security Advisory

_{Related note}
3614067

_CVSS
6.5

_{Affected system
type}
ABAP

_Patchday
2025-09

_{Released
on}
2025/09/09

Description
[CVE-2025-42930] Denial of Service (DoS) vulnerability in SAP Business Planning and Consolidation

Security Advisory

_{Related note}
3611420

_CVSS
6.5

_{Affected system
type}
BI/BO platform

_Patchday
2025-09

_{Released
on}
2025/09/09

Description
[CVE-2023-5072] Denial of Service (DoS) vulnerability due to outdated JSON library used in SAP BusinessObjects Business Intelligence Platform

Security Advisory

_{Related note}
3629325

_CVSS
6.1

_{Affected system
type}
ABAP

_Patchday
2025-09

_{Released
on}
2025/09/09

Description
[CVE-2025-42938] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver ABAP Platform

Security Advisory

_{Related note}
3647098

_CVSS
6.1

_{Affected system
type}
ABAP

_Patchday
2025-09

_{Released
on}
2025/09/09

Description
[CVE-2025-42920] Cross-Site Scripting (XSS) vulnerability in SAP Supplier Relationship Management

Security Advisory

_{Related note}
3619465

_CVSS
5.3

_{Affected system
type}
Java

_Patchday
2025-09

_{Released
on}
2025/09/09

Description
[CVE-2025-42926] Missing Authentication check in SAP NetWeaver Application Server Java

Security Advisory

_{Related note}
3627644

_CVSS
5.0

_{Affected system
type}
ABAP

_Patchday
2025-09

_{Released
on}
2025/09/09

Description
[CVE-2025-42911] Missing Authorization check in SAP NetWeaver (Service Data Download)

Security Advisory

_{Related note}
3610322

_CVSS
4.9

_{Affected system
type}
ABAP

_Patchday
2025-09

_{Released
on}
2025/07/08

Description
[CVE-2025-42961] Missing Authorization check in SAP NetWeaver Application Server for ABAP

Security Advisory

_{Related note}
3640477

_CVSS
4.3

_{Affected system
type}
Java

_Patchday
2025-09

_{Released
on}
2025/09/09

Description
[CVE-2025-42925] Predictable Object Identifier vulnerability in SAP NetWeaver AS Java (IIOP Service)

Security Advisory

_{Related note}
3450692

_CVSS
4.3

_{Affected system
type}
SAP Fiori

_Patchday
2025-09

_{Released
on}
2025/09/09

Description
[CVE-2025-42923] Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App (F4044 Manage Work Center Groups)

Security Advisory

Notifications

Severity

SAP© Security advisories 10

System Types

Affected SAP© system types

Related note 3620264

CVSS 6.6

Affected system type SAP Commerce Cloud SAP DataHub

Patchday2025-09

Released on2025/09/09

Related note 3614067

CVSS 6.5

Affected system type ABAP

Patchday2025-09

Released on2025/09/09

Related note 3611420

CVSS 6.5

Affected system type BI/BO platform

Patchday2025-09

Released on2025/09/09

Related note 3629325

CVSS 6.1

Affected system type ABAP

Patchday2025-09

Released on2025/09/09

Related note 3647098

CVSS 6.1

Affected system type ABAP

Patchday2025-09

Released on2025/09/09

Related note 3619465

CVSS 5.3

Affected system type Java

Patchday2025-09

Released on2025/09/09

Related note 3627644

CVSS 5.0

Affected system type ABAP

Patchday2025-09

Released on2025/09/09

Related note 3610322

CVSS 4.9

Affected system type ABAP

Patchday2025-09

Released on2025/07/08

Related note 3640477

CVSS 4.3

Affected system type Java

Patchday2025-09

Released on2025/09/09

Related note 3450692

CVSS 4.3

Affected system type SAP Fiori

Patchday2025-09

Released on2025/09/09

_{Related note}
3620264

_CVSS
6.6

_{Affected system
type}
SAP Commerce Cloud SAP DataHub

_Patchday
2025-09

_{Released
on}
2025/09/09

_{Related note}
3614067

_CVSS
6.5

_{Affected system
type}
ABAP

_Patchday
2025-09

_{Released
on}
2025/09/09

_{Related note}
3611420

_CVSS
6.5

_{Affected system
type}
BI/BO platform

_Patchday
2025-09

_{Released
on}
2025/09/09

_{Related note}
3629325

_CVSS
6.1

_{Affected system
type}
ABAP

_Patchday
2025-09

_{Released
on}
2025/09/09

_{Related note}
3647098

_CVSS
6.1

_{Affected system
type}
ABAP

_Patchday
2025-09

_{Released
on}
2025/09/09

_{Related note}
3619465

_CVSS
5.3

_{Affected system
type}
Java

_Patchday
2025-09

_{Released
on}
2025/09/09

_{Related note}
3627644

_CVSS
5.0

_{Affected system
type}
ABAP

_Patchday
2025-09

_{Released
on}
2025/09/09

_{Related note}
3610322

_CVSS
4.9

_{Affected system
type}
ABAP

_Patchday
2025-09

_{Released
on}
2025/07/08

_{Related note}
3640477

_CVSS
4.3

_{Affected system
type}
Java

_Patchday
2025-09

_{Released
on}
2025/09/09

_{Related note}
3450692

_CVSS
4.3

_{Affected system
type}
SAP Fiori

_Patchday
2025-09

_{Released
on}
2025/09/09