SAP NetWeaver Urgency on Patch Tuesday 2025: High-Risk CVEs Exploited

September’s Patch Tuesday delivered a predictable mix of Windows fixes and the usual Office headaches — but this month the spotlight belongs to SAP, where a string of actively exploited and high-severity NetWeaver flaws demand an urgent, prioritized response from enterprise teams.

Background​

Patch Tuesday remains the backbone of enterprise risk management: Microsoft, Adobe and other vendors cluster fixes on the second Tuesday of the month so administrators can plan testing and rollouts. In September 2025 Microsoft released its monthly security update set with a handful of high-priority items (including Office preview-pane risks and server-side RCEs), but security teams should be paying attention to SAP NetWeaver and related ERP patches issued across the spring and summer — several of which carry critical to 10.0 CVSS ratings and have been flagged for exploitation in the wild. (techtarget.com, app.opencve.io)

---

Microsoft: Patch Tuesday was important — not catastrophic​

What Microsoft fixed (high level)​

This month's Windows and Office updates include a mixture of critical and important patches: Office preview-pane RCEs and SharePoint fixes again appear as recurring, high-risk vectors, and Microsoft’s security updates kept addressing a broad set of server and infrastructure components (SQL Server, Hyper‑V, RRAS, Defender Firewall and more). Public reporting from security outlets and industry analysis confirms that while Microsoft fixed several serious issues, the update round did not produce the kind of immediate, widespread emergency seen in prior months. Administrators should still test and deploy promptly. (computerworld.com, techtarget.com)

Notable Microsoft items to prioritize​

• Office Preview Pane RCEs — Multiple vendors and security analysts continue to highlight preview/thumbnailing code paths (Outlook Preview Pane, File Explorer Preview) as easy attack vectors; disabling preview panes temporarily is a reasonable mitigation when mass mail or untrusted files are expected. (computerworld.com)
• High Performance Compute (HPC) Pack RCE (CVE-2025-21198) — Microsoft fixed a critical remote-code-execution vulnerability in HPC Pack that carries a high CVSS rating and requires urgent remediation for affected clusters. HPC Pack services use several cluster ports, so monitoring and network segmentation are important interim protections. (app.opencve.io, wiz.io)
• Third-party library exposures — At least one patched issue touches an open-source dependency, Newtonsoft.Json (CVE-2024-21907), where older versions prior to 13.0.1 can be abused for denial-of-service via deeply nested JSON. If your applications include Newtonsoft.Json in server-side stacks (web APIs, Azure-hosted apps, IIS sites), ensure packages are upgraded or set defensive serializer limits. (nvd.nist.gov, wiz.io)

What to do now — Microsoft checklist​

• Apply cumulative Windows updates after quick functional testing of business‑critical apps.
• Patch Office (and consider disabling the Preview Pane in Microsoft Outlook/File Explorer until patched).
• Update third‑party libraries (Newtonsoft.Json) to 13.0.1+ or apply serializer MaxDepth mitigation if upgrade is not immediately possible. (nvd.nist.gov)

---

SAP: this is the emergency — NetWeaver flaws demand immediate action​

The situation in plain terms​

Throughout 2025 SAP released a series of security notes that corrected multiple critical and actively exploited vulnerabilities affecting NetWeaver components such as Visual Composer, the Metadata Uploader, and other NetWeaver modules. Several of these issues enable unauthenticated or low‑privilege attackers to achieve code execution or full compromise of confidentiality, integrity and availability — the classic ransomware and data‑exfiltration risk profile for enterprise ERP systems. The industry response has been loud: vendors, CERTs and security researchers have repeatedly urged organizations to patch NetWeaver installations immediately. (app.opencve.io, cvedetails.com)

High‑severity CVEs and impact​

• CVE-2025-31324 (10.0) — An unauthenticated file upload vulnerability in NetWeaver Visual Composer was assigned a maximum CVSS rating and has been associated with active exploitation. The impact is severe: unauthenticated RCE in an ERP platform can yield immediate data theft, administrative persistence and propagation across business processes. (tenable.com)
• CVE-2025-42999 (≈9.1) — An insecure deserialization vulnerability in the Visual Composer Metadata Uploader allows privileged‑user uploads to be deserialized into Java objects and abused to execute arbitrary code. This class of bug is deadly in platforms that perform object deserialization with elevated privileges. Multiple security trackers flagged the vulnerability and it appears in advisories that prompted emergency patching guidance. (app.opencve.io, cvedetails.com)
• CVE-2023-27500 (NetWeaver SAPRSBRO) — A previously disclosed directory‑traversal/file‑overwrite bug in SAPRSBRO persists as a high‑impact issue for older NetWeaver versions; it allows non‑admin users to overwrite system files, causing loss of availability and possible privileged-level corruption. This CVE has high severity and should remain on the radar for legacy NetWeaver systems. (nvd.nist.gov)

Why SAP vulnerabilities are structurally riskier than typical Windows patches​

• ERP systems host broadly sensitive data — SAP installations often contain financial records, HR data, supply‑chain credentials and privileged integrations. A single RCE in NetWeaver can let attackers reach far more than a single server.
• Complex deployment patterns — Many NetWeaver instances are multitenant, cluster‑distributed, or integrated with other enterprise services; patching them requires careful change control and often downtime — which delays mitigation.
• High value to attackers — Access to ERP systems is a high ROI target for ransomware and espionage actors; active exploitation reports mean attackers are already scanning for unpatched endpoints. (intruceptlabs.com)

Recommended SAP response — priority triage​

• Identify and inventory all SAP NetWeaver and Visual Composer instances — include cloud, hosted and on‑prem systems.
• Apply SAP security notes immediately — where patches are available, plan an emergency maintenance window and deploy after basic testing. Prioritize CVE‑identified hotfixes tied to RCE/deserialization/unrestricted upload issues. (app.opencve.io)
• Block or restrict access to management interfaces — prevent direct internet exposure of NetWeaver management ports and uploader endpoints. Use network ACLs, reverse proxies and WAF (Web Application Firewall) rules to limit exposure.
• Audit uploads and privileged activity — review logs for anomalous upload behavior, new ABAP code deployments, and unexpected process launches. Consider integrity checks on ABAP repos and critical system files.
• Rotate credentials and service accounts — if compromise is suspected, rotate service keys and check for backdoor changes.

---

Adobe: broad patch batch, one priority ColdFusion fix​

Adobe issued a multi‑product patch run across its ecosystem earlier in the year; the company’s security bulletins show frequent updates for ColdFusion, Adobe Commerce/Magento, Substance 3D, Premiere Pro, Dreamweaver and Experience Manager components. ColdFusion updates in 2025 addressed critical file‑system overwrite and arbitrary code execution bugs for supported 2021–2025 builds; Adobe Commerce/Magento also received urgent fixes for well‑known high‑impact vulnerabilities in older 2.4.x releases. Administrators of Adobe stacks should follow Adobe’s APSB advisories and apply vendor patches quickly because commerce and content‑management platforms are attractive targets. (helpx.adobe.com)

Practical Adobe checklist​

• ColdFusion: apply the specific APSB updates for your product build (2021/2023/2025 families).
• Magento / Adobe Commerce: patch 2.4.x instances and apply any isolated fixes Adobe provided for high‑risk CVEs.
• Experience Manager / Premiere / Substance: patch components used in shared hosting environments and tighten file upload controls and sandboxing.

---

Android: the largest mobile bundle of the year — update your devices​

Google’s September Android security update closed dozens of vulnerabilities (the public Android Security Bulletin lists the issues and patch levels for September 2025). This round included a large set of fixes for Qualcomm components and at least two vulnerabilities that were reportedly exploited in the wild. Pixel devices received the patch promptly; non‑Pixel OEM devices must await vendor rollouts. Mobile device managers and security teams should prioritize updates to security patch levels 2025‑09‑01 / 2025‑09‑05 as recommended in the bulletin. (source.android.com, tomsguide.com)

---

Cisco: ASA/FTD TLS certificate and VPN web server DoS fixes​

Cisco released an out‑of‑cycle high‑severity advisory addressing SSL/TLS certificate parsing and remote‑access VPN web server DoS flaws in Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD). These advisories cover certificate parsing and VPN web interface handling that can result in device reloads or denial‑of‑service conditions; Cisco published vendor updates and guidance for affected ASA/FTD models. If you operate ASA/FTD appliances, schedule the vendor updates and apply mitigation guidance immediately because firewall outages can be business‑critical. (cisco.com)

---

Cross‑vendor technical verification and where reporting diverged​

A recent article circulated claiming that Microsoft’s September set included specific CVEs (for example CVE‑2025‑55234 and CVE‑2025‑55232) tied to SMB relay and HPC; independent checks against vendor advisories, public CVE indexes and Microsoft’s update‑guide do not show those exact CVE identifiers in public registries at the time of writing. Concrete, verifiable Microsoft advisories that match the functional descriptions include the HPC Pack RCE (CVE‑2025‑21198) and several Office/SharePoint RCEs and zero‑day fixes reported and analyzed by multiple security outlets. The precise CVE numbers quoted in some coverage could be typos, editorial shorthand, or in‑flight vendor assignments; teams should confirm with Microsoft’s Security Update Guide or MSRC advisory pages for the authoritative mapping. Where any claim in published reporting cannot be independently located in vendor advisories or NVD entries, treat it as unverified until the vendor confirms. (app.opencve.io, techtarget.com)

---

Risk analysis — what’s notable, what’s worrying​

Strengths in the response ecosystem​

• Faster disclosure and coordination — vendors and ecosystem actors (Google/Android, Microsoft, Adobe, SAP) are publishing security notes and patches on a much tighter cadence than in earlier years; this helps defenders plan and respond.
• Public CVE tracking and mitigations — NVD, vendor advisories and reputable security vendors are providing actionable remediation steps and detection guidance in near‑real time. (source.android.com, helpx.adobe.com)

Persistent weaknesses and attack surface issues​

• ERP systems lag in patching cycles — SAP NetWeaver instances are frequently left unpatched because of complex change control, compatibility worries, and uptime requirements. That delay dramatically increases risk when high‑scoring CVEs (9.0–10.0) are public or exploited. (app.opencve.io)
• Preview‑pane and thumbnailing keep recurring — Office preview/thumbnail features repeatedly surface as RCE vectors; many organizations still rely on default UI settings that make exploitation easier. (computerworld.com)
• Third‑party libraries as weak links — Issues like the Newtonsoft.Json DoS remind us that supply‑chain and library hygiene are first‑order security concerns; unattended dependencies on servers can expose large swathes of infrastructure. (nvd.nist.gov)
• Inconsistent CVE/coverage accuracy from media — some outlet summaries occasionally use incorrect CVE IDs or conflate advisories; this creates operational friction for defenders who must cross‑check and validate before acting. This underlines the need to confirm with vendor advisories and the NVD. (techtarget.com)

---

Practical playbook — how to triage and respond (for SOCs and IT teams)​

Immediate (first 24–72 hours)​

• Inventory & map: list exposed ERP (SAP NetWeaver/Visual Composer), public web apps (Adobe Commerce, Experience Manager), and HPC clusters. Include versions and last patch dates.
• Apply vendor emergency patches where available — start with any SAP security notes, ColdFusion/Adobe hotfixes, and the Microsoft cumulative updates that affect internet‑facing services.
• Isolation: restrict network access to management endpoints and uploader endpoints; place NetWeaver web interfaces behind reverse proxies and WAF rules that block file upload abuse patterns.
• Mitigate preview‑pane risk: disable Outlook/File Explorer Preview Pane on heavily exposed user populations until updates are in place. (computerworld.com)

Secondary (3–14 days)​

• Harden application stacks: upgrade Newtonsoft.Json and other vulnerable libraries; implement service account rotation and least privilege.
• Hunt & monitor: search logs for anomalous upload activity, unexpected ABAP code changes, new user creations, suspicious connections to HPC scheduler ports, and spikes on cluster control ports (for HPC Pack, known cluster ports include TCP 5999 among others — monitor accordingly). (learn.microsoft.com, app.opencve.io)
• Deploy detection rules: create IDS/IPS and SIEM rules to alert on unexpected outbound connections from SAP servers, abnormal uploads, and suspicious Office preview render chains.

Longer term (2–8 weeks)​

• Patch management policy: tighten emergency patch windows for ERP and commerce platforms — build a validated, repeatable test path so critical fixes are not delayed by manual processes.
• Threat modeling for ERP: run tabletop exercises that assume an ERP compromise and rehearse containment, data recovery and regulatory notifications.
• Third‑party dependency governance: adopt SBOMs (software bill of materials) and automated dependency scanners to find vulnerable libraries before they’re exploited.

---

Final assessment and editorial verdict​

September’s Patch Tuesday was not a Microsoft apocalypse; Windows and Office teams should still patch quickly, but the critical emergency in this cycle is not in the desktop OS — it’s in enterprise middleware and specialized platforms. SAP NetWeaver and Visual Composer issues carry real, immediate danger for any organization that relies on SAP for finance, HR or supply‑chain functions; these are the kind of flaws that allow attackers to move from a single service into business‑critical systems.
Administrators should treat SAP hotfixes as high‑urgency items, while still maintaining disciplined patch testing for Microsoft and Adobe updates. Relying on a single vendor’s patch cadence is insufficient — effective defense needs fast identification, network isolation, library upgrades and active threat hunting. Where media reporting supplies CVE numbers or mitigation advice that cannot be found in vendor advisories or public CVE registries, treat those items as unverified until confirmed with the vendor or the MSRC/NVD.
Apply patches, restrict access, and prioritize ERP and commerce platform updates above routine workstation rollouts this week. The time between public disclosure and active exploitation is short — especially for high‑value targets like SAP — and the cost of delay can be catastrophic.

---

Source: theregister.com SAP 'wins' Patch Tuesday with worse flaws than Microsoft