Unveiled details as requested:
In a significant contribution to SAP's latest Patch Day, the Onapsis Research Labs have identified a substantial number of vulnerabilities, as reported by Thomas Fritsch on the Onapsis-Blog.
The newly discovered vulnerabilities are being incorporated into the Onapsis Platform to ensure comprehensive protection for users. Subscribing to the Defenders Digest Newsletter is a great way to stay informed about the latest SAP security issues and the Onapsis Research Labs' ongoing efforts to share knowledge with the security community.
SAP's September Patch Day saw the publication of nineteen new and updated SAP Security Notes. Among these, SAP Security Notes #3481588 and #3481992 patch two Information Disclosure vulnerabilities in SAP BW (BEx Analyzer), allowing an authenticated attacker to access information over the network which is otherwise restricted.
Another critical vulnerability, addressed by SAP Security Note #3488039, allows a low privileged attacker to send a crafted packet in a vulnerable function module, resulting in a total loss of application availability for a specific user in SAP GUI. This vulnerability, tracked under CVE-2024-45285, is of particular concern due to its potential impact.
SAP Security Note #3488341, tagged with a CVSS score of 6.5, patches a Missing Authorization Check vulnerability in SAP Production and Revenue Accounting. Customers who already applied the patch after its initial release in August should review the note since SAP has updated the fixing version from SAP Commerce Cloud Update Release 2211.27 to SAP Commerce Cloud Update Release 2211.28.
The SAP NetWeaver platform, specifically the SERVERCORE version 7.50, was affected by a critical Node.js-related deserialization vulnerability (CVE-2025-42944) that allows remote code execution. This vulnerability impacts enterprises using SAP NetWeaver systems globally, and SAP has urged all customers to prioritize patching this flaw.
In addition, SAP Security Note #3488039 patches six Missing Authorization Check vulnerabilities in various RFC-enabled function modules. SAP Security Note #3505293 patches a Missing Authorization Check vulnerability in SAP for Oil & Gas, allowing an attacker with non-administrative user privileges to delete entries in a user data table.
High Priority Note #3459935, tagged with a CVSS score of 7.4, patches an Information Disclosure vulnerability in SAP Commerce Cloud. Notably, HotNews Note #3479478, tagged with a CVSS score of 9.8, addresses a Missing Authentication Check vulnerability in SAP BusinessObjects Business Intelligence Platform.
The September Summary includes updates to one HotNews Note and one High Priority Note, but no new HotNews or High Priority Notes were published in SAP's September Patch Day. It is crucial for all SAP users to stay vigilant and apply the necessary patches to maintain the security of their systems.
