Advisories

CERT-In Advisory CIAD-2025-0029

Multiple vulnerabilities in SAP Products

Original Issue Date: September 09, 2025

Severity Rating: Critical

Software Affected

SAP NetWeaver (RMI-P4)
SAP NetWeaver AS Java (Deploy Web Service)
SAP NetWeaver AS for ABAP and ABAP Platform
SAP NetWeaver
SAP Business One (SLD)
SAP Landscape Transformation Replication Server
SAP S/4HANA (Private Cloud or On-Premise)
SAP NetWeaver and ABAP Platform (Service Data Collection)
SAP Commerce Cloud and SAP Datahub
SAP Business Planning and Consolidation
SAP HCM (My Timesheet Fiori 2.0 application)
SAP HCM (Approve Timesheets Fiori 2.0 application)
SAP BusinessObjects Business Intelligence Platform
SAP Supplier Relationship Management
SAP NetWeaver ABAP Platform
Fiori app (Manage Payment Blocks)
SAP NetWeaver Application Server Java
SAP NetWeaver (Service Data Download)
SAP NetWeaver Application Server for ABAP
SAP NetWeaver AS Java (IIOP Service)
SAP Fiori App (F4044 Manage Work Center Groups)
SAP NetWeaver Application Server for ABAP (Background Processing)
SAP Fiori (Launchpad)
SAP NetWeaver AS Java (Adobe Document Service)
SAP Commerce Cloud

Overview

Multiple vulnerabilities have been reported, which could be exploited by an attacker to disclose sensitive information, gain elevated privileges, bypass security restrictions, perform Cross-Site Scripting (XSS) and CSRF attacks, execute arbitrary code, manipulate user sessions, access unauthorized files, and cause denial-of-service condition on the targeted system.

Target Audience:
SAP system administrators, SAP security teams, IT infrastructure teams managing SAP landscape and Application developers using affected SAP.

Risk Assessment:
Potential for system compromise, data exposure, unauthorized access, privilege abuse, service disruption, application manipulation.

Impact Assessment:
High risk of data breach, full system compromise, prolonged service unavailability, security control bypass, and remote code execution.

Description

Multiple vulnerabilities have been reported in SAP products; details of which are provided below:

Solution

Apply appropriate updates as mentioned by the vendor:
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/september-2025.html

Vendor Information

SAP
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/september-2025.html

References

SAP
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/september-2025.html

CVE Name
CVE-2025-42944
CVE-2025-42922
CVE-2023-27500
CVE-2025-42958
CVE-2025-42933
CVE-2025-42929
CVE-2025-42916
CVE-2025-27428
CVE-2025-22228
CVE-2025-42930
CVE-2025-42912
CVE-2025-42913
CVE-2025-42914
CVE-2025-42917
CVE-2023-5072
CVE-2025-42920
CVE-2025-42938
CVE-2025-42915
CVE-2025-42926
CVE-2025-42911
CVE-2025-42961
CVE-2025-42925
CVE-2025-42923
CVE-2025-42918
CVE-2025-31331
CVE-2025-42941
CVE-2025-42927
CVE-2024-13009

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-22902657

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India