SAP September security notes: which identity controls fail first?

TL;DR: SAP’s September 9 release delivered 21 new Security Notes and 3 updates, including two critical NetWeaver AS Java flaws, an ABAP directory traversal re-release, and a Business One issue that exposed database credentials in HTTP responses, according to Pathlock. The pattern is familiar: identity-adjacent controls fail first, and patching must be paired with tighter access, port, and credential handling.

NHIMG editorial — based on content published by Pathlock: SAP’s September security notes and critical vulnerability roundup

By the numbers:

• SAP’s September 9 release brought 21 new Security Notes and 3 updates.
• The severity snapshot lists 2 new critical issues, 4 high issues, 14 medium issues, and 3 low issues.
• CVE-2025-42944 is rated CVSS 10.0.

Questions worth separating out

Q: What breaks when SAP application flaws expose privileged interfaces?

A: When privileged SAP interfaces are exposed, the flaw stops being just an application issue and becomes an access-control problem.

Q: Why do SAP credentials exposed in backend responses create broader identity risk?

A: A credential exposed in an HTTP response is no longer confined to its intended service boundary, so it behaves like a compromised identity asset.

Q: How should teams reduce risk from SAP patch notes that affect file upload or host overwrite paths?

A: Teams should treat file upload and host overwrite flaws as control-plane issues, not isolated bugs.

Practitioner guidance

• Restrict high-risk SAP interfaces immediately Lock down P4 ports, Deploy Web Service access, and any other privileged middleware entry points until the affected notes are fully patched and validated.
• Separate patching from privilege review Apply the Java, ABAP, Business One, IBM i, and S/4HANA fixes, then verify which users and service accounts can still reach the affected functions.
• Rotate secrets exposed through backend responses Treat any credential disclosure in HTTP responses as an active identity compromise and rotate the affected database credentials immediately.

What's in the full analysis

Pathlock's full article covers the operational detail this post intentionally leaves for the source:

• Patch sequencing guidance for the Java stack, ABAP, Business One, IBM i, and S/4HANA issues.
• The specific SAP Security Notes and KBAs referenced for each flaw.
• Practical temporary workarounds for teams that cannot patch immediately.
• The article's own severity breakdown and prioritisation commentary across critical, high, medium, and low notes.

👉 Read Pathlock's September SAP vulnerability roundup →

SAP September security notes: which identity controls fail first?

Explore further

View Full Forum →  |  NHI Foundation Course →