SAP patches critical NetWeaver

SAP patches critical NetWeaver bugs (CVSS up to 10). Time to patch, not panic.

SAP has released September patches addressing multiple flaws, including three critical issues in SAP NetWeaver (CVSS scores up to 10.0) that could allow code execution, arbitrary file upload, or unauthorised access—one via the RMI-P4 module. A high-severity bug in SAP S/4HANA (CVSS 8.1) could let highly privileged users delete database table contents if authorisations aren’t properly set. Researchers recommend urgent patching; a temporary workaround for the RMI-P4 issue is to filter the P4 port at the ICM level. The update follows news that a separate S/4HANA flaw fixed last month has already been exploited in the wild. While the newly disclosed issues aren’t yet known to be weaponised, SAP customers are urged to apply updates quickly and review compensating controls.

SAP customers got a busy Patch Tuesday: serious holes in NetWeaver and a high-severity issue in S/4HANA. The headline act is a CVSS 10.0 NetWeaver flaw that could let attackers run commands via the RMI-P4 module—no invitation required. Two more critical NetWeaver bugs enable dodgy file uploads and improper access on specific platforms. Over in S/4HANA, a validation miss could let highly privileged users wipe database tables if authorisations aren’t tight. Lovely.

What’s affected
• NetWeaver (multiple components): remote code execution, arbitrary file upload, and missing authentication checks.
• S/4HANA: input validation weakness that can lead to table deletions when controls are lax.

Why it matters
These systems sit at the heart of finance, supply chain, and HR. Exploitation could mean data loss, downtime, and awkward conversations with auditors.

What to do now
1. Patch promptly. Prioritise NetWeaver systems reachable from untrusted networks.
2. Apply a temporary control for the RMI-P4 vector: filter the P4 port at the ICM level to block unknown hosts.
3. Tighten S/4HANA authorisations. Ensure sensitive tables are protected by proper authorisation groups.
4. Review exposure. Inventory internet-facing SAP services, check logging, and monitor for unusual activity.

A quick reality check
Another S/4HANA critical fixed last month is already being exploited, so don’t leave this round sitting in change control limbo. Patch now; argue about change windows later.
Bottom line: If SAP runs your business, treat these fixes like a payroll run—non-negotiable and on time.