🔴 September 2025 brought a record number of critical SAP vulnerabilities
The second Tuesday of the month - 9 September 2025 - marks the traditional SAP Security Patch Day, awaited (with a degree of apprehension) by every SAP systems administrator. This month proved exceptionally intense: SAP released 21 new Security Notes, including as many as 4 rated HotNews priority. What is more, one of the critical vulnerabilities received the maximum possible CVSS score - 10.0/10.0.
📊 September’s security tally in numbers
Let’s look at this month’s statistics:
-
4 HotNews Notes (critical priority) - all with CVSS ≥ 9.0
-
4 High Priority Notes - requiring urgent intervention
-
14 Medium Priority Notes - to be deployed in the standard cycle
-
3 Low Priority Notes - though it is worth remembering that even low-priority issues can be exploited in chained attacks
-
4 updates to previously released Security Notes
🎯 The most severe threat: insecure deserialization in SAP NetWeaver AS Java
This month’s most serious vulnerability is SAP Security Note #3634501, with a score of CVSS 10.0. It relates to an insecure deserialization vulnerability in the RMI-P4 module of the Java application server. What does this mean in practice? An attacker can execute arbitrary code on the server without authentication, gaining full control over the system.
Jacek Bugajski, CEO of SNOK, comments: “Vulnerabilities with a CVSS score of 10.0 are every administrator’s worst nightmare. In this case, we are talking about the possibility of a complete system takeover by an unauthorised party. It shows just how critical it is to deploy security patches immediately.”
🛡️ How does SNOK secure clients’ systems?
1. Proactive monitoring with SecurityBridge
As the official representative of SecurityBridge in Poland, SNOK uses the advanced platform for the continuous monitoring of SAP systems. The system automatically:
-
Scans environments for missing patches
-
Prioritises Security Notes based on the actual risk to the specific environment
-
Generates compliance reports against the latest security requirements
2. A Security Operations Centre dedicated to SAP
Our SAP SOC is more than just monitoring - it is round-the-clock protection:
-
Real-time analysis - we detect unusual behaviour before it becomes an incident
-
Automatic event correlation - we combine signals from different systems to detect advanced attacks
-
Rapid incident response - our team of experts is ready 24/7
3. Patch management as a service
Dariusz Kurkiewicz, Team Leader of SNOK’s Cybersec & SAP BASIS team, explains: “Deploying patches is not just about installation - it is an entire process. First we analyse the impact on the client’s environment, test it in the development systems, plan maintenance windows, and only then deploy it. We do all of this in a way that minimises the impact on business continuity.”
4. Security audits and penetration testing
We regularly carry out:
-
SAP system configuration audits
-
Penetration testing of ABAP and Java applications
-
Security-focused custom code reviews
-
Authorisation and segregation-of-duties analyses
💡 SNOK’s practical recommendations for September 2025
Immediate actions (to be completed within 48 hours):
-
Identify all instances of SAP NetWeaver AS Java in your organisation
-
Check whether they are exposed to the vulnerabilities in notes #3634501 and #3633002
-
Schedule an urgent maintenance window for production systems
-
Deploy the patches first in the development and test systems
Medium-term actions (by the end of September):
-
Carry out a comprehensive review of all 21 Security Notes
-
Update your security documentation
-
Train your administration team on the new threats
-
Test your emergency procedures and business continuity plans
🚀 Why work with SNOK?
Our competitive advantages:
Expert knowledge - as a Gold SAP Partner in Poland, we have direct access to the latest information and support from the manufacturer
Experience in PWCyber - we take part in the Cybersecurity Cooperation Programme, sharing knowledge with the public sector
A comprehensive approach - we don’t just deploy patches, we build an overall security strategy
Local support, 24/7 - we speak Polish and understand the specifics of the Polish market
📈 Trends we are observing
Analysing September’s Security Notes, we see clear trends:
-
A rise in attacks on the Java layer - 2 of the 4 critical vulnerabilities affected AS Java
-
Deserialization as an attack vector - hackers are increasingly exploiting this technique
-
Growing attack complexity - modern attacks chain multiple vulnerabilities together in sequences
🔮 What awaits us in October?
October promises to be equally intense. We expect:
-
Further patches for S/4HANA 2023
-
Security updates for SAP BTP
-
Possible out-of-band releases for critical vulnerabilities
📞 Need support?
Don’t wait for an incident - act proactively! The SNOK team is ready to help:
✅ Free consultation on September’s Security Notes
✅ Security audit of your SAP environment
✅ SecurityBridge deployment for continuous monitoring
✅ Training for your IT team
Contact us: 📧 office@snok.ai 📞 +48 22 161 18 30 🌐 www.snok.ai
💬 Share your experience
How is your organisation handling September’s patches? Have you encountered any problems during deployment? What are your biggest challenges in managing SAP security?
We invite you to join the discussion in the comments! Our experts are happy to answer questions and share practical advice.
Safe Tuesday with SNOK is a recurring series in which we share knowledge about SAP system security. We publish every month, right after SAP Security Patch Day, to bring you the latest information and practical advice.