Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

SAP September security notes: which identity controls fail first?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: SAP’s September 9 release delivered 21 new Security Notes and 3 updates, including two critical NetWeaver AS Java flaws, an ABAP directory traversal re-release, and a Business One issue that exposed database credentials in HTTP responses, according to Pathlock. The pattern is familiar: identity-adjacent controls fail first, and patching must be paired with tighter access, port, and credential handling.

NHIMG editorial — based on content published by Pathlock: SAP’s September security notes and critical vulnerability roundup

By the numbers:

Questions worth separating out

Q: What breaks when SAP application flaws expose privileged interfaces?

A: When privileged SAP interfaces are exposed, the flaw stops being just an application issue and becomes an access-control problem.

Q: Why do SAP credentials exposed in backend responses create broader identity risk?

A: A credential exposed in an HTTP response is no longer confined to its intended service boundary, so it behaves like a compromised identity asset.

Q: How should teams reduce risk from SAP patch notes that affect file upload or host overwrite paths?

A: Teams should treat file upload and host overwrite flaws as control-plane issues, not isolated bugs.

Practitioner guidance

  • Restrict high-risk SAP interfaces immediately Lock down P4 ports, Deploy Web Service access, and any other privileged middleware entry points until the affected notes are fully patched and validated.
  • Separate patching from privilege review Apply the Java, ABAP, Business One, IBM i, and S/4HANA fixes, then verify which users and service accounts can still reach the affected functions.
  • Rotate secrets exposed through backend responses Treat any credential disclosure in HTTP responses as an active identity compromise and rotate the affected database credentials immediately.

What's in the full analysis

Pathlock's full article covers the operational detail this post intentionally leaves for the source:

  • Patch sequencing guidance for the Java stack, ABAP, Business One, IBM i, and S/4HANA issues.
  • The specific SAP Security Notes and KBAs referenced for each flaw.
  • Practical temporary workarounds for teams that cannot patch immediately.
  • The article's own severity breakdown and prioritisation commentary across critical, high, medium, and low notes.

👉 Read Pathlock's September SAP vulnerability roundup →

SAP September security notes: which identity controls fail first?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Middleware trust boundaries are identity boundaries, not just application boundaries. When an enterprise platform exposes a privileged interface like P4 or a deploy path, the security question is who can reach it and what that access can trigger. The flaw in this release set is that trusted application functions were reachable in ways that bypassed the controls practitioners assumed were already protecting them. For NHI and privileged-access teams, the implication is that platform interfaces must be governed as sensitive access paths, not treated as ordinary application endpoints.

A few things that frame the scale:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
  • That visibility gap is compounded by the fact that 38% have no or low visibility and a further 47% have only partial visibility, according to the same report.

A question worth separating out:

Q: Who is accountable when enterprise SAP vulnerabilities are left unpatched?

A: Accountability sits across application owners, infrastructure teams, and identity governance because the exposure spans code, access, and privileged operations. For regulated environments, patching alone is not enough if access remains overly broad or secrets are not rotated. The control failure belongs to the operating model, not just the software vendor.

👉 Read our full editorial: SAP September patch wave exposes Java RCE and credential leaks



   
ReplyQuote
Share: