SAP セキュリティパッチデー 2025 年 9 月

このページでは、SAP 製品で発見された脆弱性を改善するセキュリティノートに関する情報を共有しています。SAP は、Support Portal にアクセスし SAP ランドスケープを保護するために優先的にパッチを適用することを強くお奨めします。

2025 年 9 月 9 日に、SAP セキュリティパッチデーに 21 の新しいセキュリティノートがリリースされました。さらに、以前にリリースされたセキュリティノートに対する 5 つの更新がありました。

Note#

Title

Priority

CVSS

3634501

[CVE-2025-42944Insecure Deserialization vulnerability in SAP Netweaver (RMI-P4)

Product - SAP Netweaver AS Java
Version - SERVERCORE 7.50

Critical

10.0

3643865

[CVE-2025-42922Insecure File Operations vulnerability in SAP NetWeaver AS Java (Deploy Web Service)

Product - SAP NetWeaver AS Java (Deploy Web Service)
Version - J2EE-APPS 7.50

Critical

9.9

3302162

Update to Security Note released on March 2023 Patch Day:

[CVE-2023-27500Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform

Product – SAP NetWeaver AS for ABAP and ABAP Platform
Version – 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757

Critical

9.6

3627373

[CVE-2025-42958Missing Authentication check in SAP NetWeaver

Product - SAP NetWeaver
Version - KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, KERNEL 7.22, 7.53, 7.54

Critical

9.1

3642961

[CVE-2025-42933Insecure Storage of Sensitive Information in SAP Business One (SLD)

Product - SAP Business One (SLD)
Version - B1_ON_HANA 10.0, SAP-M-BO 10.0

High

8.8

3633002

[CVE-2025-42929Missing input validation vulnerability in SAP Landscape Transformation Replication Server

Product - SAP Landscape Transformation Replication Server
Version - DMIS 2011_1_620, 2011_1_640, 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, 2020

High

8.1

3635475

[CVE-2025-42916Missing input validation vulnerability in SAP S/4HANA (Private Cloud or On-Premise)

Product - SAP S/4HANA (Private Cloud or On-Premise)
Version - S4CORE 102, 103, 104, 105, 106, 107, 108

High

8.1

3581811

Update to Security Note released on April 2025 Patch Day:

[CVE-2025-27428Directory Traversal vulnerability in SAP NetWeaver and ABAP Platform (Service Data Collection)

Product - SAP NetWeaver and ABAP Platform (Service Data Collection)
Version - ST-PI 2008_1_700, 2008_1_710, 740

High

7.7

3620264

[CVE-2025-22228Security Misconfiguration vulnerability in Spring security within SAP Commerce Cloud and SAP Datahub

Product - SAP Commerce Cloud and SAP Datahub
Version - HY_COM 2205, HY_DHUB 2205, COM_CLOUD 2211, DHUB_CLOUD 2211

Medium

6.6

3614067

[CVE-2025-42930Denial of Service (DoS) vulnerability in SAP Business Planning and Consolidation

Product - SAP Business Planning and Consolidation
Version - BPC4HANA 200, 300, SAP_BW 750, 751, 752, 753, 754, 755, 756, 757, 758, 816, 914, CPMBPC 810

Medium

6.5

3635587

[CVE-2025-42912Missing Authorization check in SAP HCM (My Timesheet Fiori 2.0 application)

Additional CVEs - CVE-2025-42913, CVE-2025-42914

Product - SAP HCM (My Timesheet Fiori 2.0 application)
Version - GBX01HR5 605

Medium

6.5

3643832

[CVE-2025-42917Missing Authorization check in SAP HCM (Approve Timesheets Fiori 2.0 application)

Product - SAP HCM (Approve Timesheets Fiori 2.0 application)
Version - GBX01HR5 605

Medium

6.5

3611420

[CVE-2023-5072Denial of Service (DoS) vulnerability due to outdated JSON library used in SAP BusinessObjects Business Intelligence Platform

Product - SAP BusinessObjects Business Intelligence Platform
Version - ENTERPRISE 430, 2025, 2027

Medium

6.5

3647098

[CVE-2025-42920Cross-Site Scripting (XSS) vulnerability in SAP Supplier Relationship Management

Product - SAP Supplier Relationship Management
Version – SRM_SERVER 700, 701, 702, 713, 714

Medium

6.1

3629325

[CVE-2025-42938Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver ABAP Platform

Product - SAP NetWeaver ABAP Platform
Version - S4CRM 100, 200, 204, 205, 206, S4CEXT 109, BBPCRM 713, 714

Medium

6.1

3409013

[CVE-2025-42915Missing Authorization Check in Fiori app (Manage Payment Blocks)

Product - Fiori app (Manage Payment Blocks)
Version - S4CORE 107, 108

Medium

5.4

3619465

[CVE-2025-42926Missing Authentication check in SAP NetWeaver Application Server Java

Product - SAP NetWeaver Application Server Java
Version - WD-RUNTIME 7.50

Medium

5.3

3627644

[CVE-2025-42911Missing Authorization check in SAP NetWeaver (Service Data Download)

Product - SAP NetWeaver (Service Data Download)
Version - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816

Medium

5.0

3610322

Update to Security Note released on July 2025 Patch Day:

[CVE-2025-42961Missing Authorization check in SAP NetWeaver Application Server for ABAP

Product - SAP NetWeaver Application Server for ABAP
Version – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816

Medium

4.9

3640477

[CVE-2025-42925Predictable Object Identifier vulnerability in SAP NetWeaver AS Java (IIOP Service)

Product - SAP NetWeaver AS Java (IIOP Service)
Version – SERVERCORE 7.50

Medium

4.3

3450692

[CVE-2025-42923Cross-Site Request Forgery (CSRF) vulnerability in SAP Fiori App (F4044 Manage Work Center Groups)

Product - SAP Fiori App (F4044 Manage Work Center Groups)
Version - UIS4HOP1 600, 700, 800, 900

Medium

4.3

3623504

[CVE-2025-42918Missing Authorization check in SAP NetWeaver Application Server for ABAP (Background Processing)

Product - SAP NetWeaver Application Server for ABAP (Background Processing)
Version - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816

Medium

4.3

3577131

Update to Security Note released on April 2025 Patch Day:

[CVE-2025-31331Authorization Bypass vulnerability in SAP NetWeaver

Product - SAP NetWeaver
Version - SAP_ABA 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75D, 75E, 75F, 75G, 75H, 75I

Medium

4.3

 

3624943

Update to Security Note released on August 2025 Patch Day:

[CVE-2025-42941Reverse Tabnabbing vulnerability in SAP Fiori (Launchpad)

Product - SAP Fiori (Launchpad)
Version - SAP_UI 754

Low

3.5

 

3525295

[CVE-2025-42927Information Disclosure due to Outdated OpenSSL Version in SAP NetWeaver AS Java (Adobe Document Service)

Product - SAP NetWeaver AS Java (Adobe Document Service)
Version - ADSSAP 7.50

Low

3.4

3632154

 

[CVE-2024-13009Potential Improper Resource Release vulnerability in SAP Commerce Cloud

Product - SAP Commerce Cloud
Version - HY_COM 2205, COM_CLOUD 2211

Low

3.1

月次で計画されているパッチデー後に、新たに 1 つのセキュリティノートがリリースされました。さらに、以前にリリースされた 7 つのセキュリティノートが更新されました。

3634501

Update to Security Note released on September 2025 Patch Day:

[CVE-2025-42944Insecure Deserialization vulnerability in SAP Netweaver (RMI-P4)

Product - SAP Netweaver (RMI-P4)

Version - SERVERCORE 7.50

Critical

10.0

3643865

Update to Security Note released on September 2025 Patch Day:

[CVE-2025-42922Insecure File Operations vulnerability in SAP NetWeaver AS Java (Deploy Web Service)

Product - SAP NetWeaver AS Java (Deploy Web Service)

Version - J2EE-APPS 7.50

Critical

9.9

3302162

Update to Security Note released on March 2023 Patch Day:

[CVE-2023-27500Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform

Product – SAP NetWeaver AS for ABAP and ABAP Platform

Version – 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757

Critical

9.6

3643832

Update to Security Note released on September 2025 Patch Day:

[CVE-2025-42917Missing Authorization check in SAP HCM (Approve Timesheets Fiori 2.0 application)

Product - SAP HCM (Approve Timesheets Fiori 2.0 application)

Version - GBX01HR5 605

Medium

6.5

3635587

Update to Security Note released on September 2025 Patch Day:

[CVE-2025-42912Missing Authorization check in SAP HCM (My Timesheet Fiori 2.0 application)
Additional CVE - CVE-2025-42913, CVE-2025-42914

Product - SAP HCM (My Timesheet Fiori 2.0 application)

Version - GBX01HR5 605

Medium

6.5

3409013

Update to Security Note released on September 2025 Patch Day:

[CVE-2025-42915Missing Authorization Check in Fiori app (Manage Payment Blocks)

Product - Fiori app (Manage Payment Blocks)

Version - S4CORE 107, 108

Medium

5.4

3623504

Update to Security Note released on September 2025 Patch Day:

[CVE-2025-42918Missing Authorization check in SAP NetWeaver Application Server for ABAP (Background Processing)

Product - SAP NetWeaver Application Server for ABAP (Background Processing)

Version - SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 816

Medium

4.3

3540622

[CVE-2025-42907Server-Side Request Forgery in SAP BI Platform

Product - SAP BI Platform

Version - ENTERPRISE 430, 2025, 2027

Medium

4.3

今月のセキュリティパッチを提供してきたセキュリティ研究者や調査会社の詳細については、こちらをご覧ください。

SAP  は、信頼できる製品とクラウドサービスの提供に尽力しています。安全な運用とデータの完全性を確保するには、安全な設定が不可欠です。そのため、SAP ポートフォリオに最適なセキュリティを設定できるように、この文書に統合されたセキュリティ推奨事項が文書化されています。

過去のアーカイブブログは、こちらからご覧いただけます。

このページに関するコメントまたはフィードバックがある場合は secure@sap.com 宛にご連絡ください。(お問い合わせは英語でお願いいたします。)