Skip to content

Safe Tuesday with SNOK: SAP Security Patch Day – October 2025

On 14 October 2025, SAP officially published a package of 17 security notes (13 new and 4 updates to existing ones) as part of the monthly SAP Security…

On 14 October 2025, SAP officially published a package of 17 security notes (13 new and 4 updates to existing ones) as part of the monthly SAP Security Patch Day cycle, covering vulnerabilities of varying severity - from a maximum CVSS of 10.0 down to lower threat categories. The current release includes four vulnerabilities classified as critical and two rated high priority, which require immediate implementation by administrative teams responsible for SAP environments.

Particular attention should be paid to vulnerabilities affecting SAP NetWeaver AS Java components, where two critical vulnerabilities related to insecure object deserialisation were identified - CVE-2025-42944 and an update to SAP Note 3634501. Both vulnerabilities carry the maximum CVSS rating of 10.0 and allow an unauthenticated attacker to achieve remote code execution at operating system level. It should be noted that CVE-2025-42944 received a new version of the AS Java patch relative to the previous month.

An additional category comprises vulnerabilities in SAP Print Service (CVE-2025-42937) and SAP Supplier Relationship Management (CVE-2025-42910), which, despite lower CVSS scores (9.8 and 9.0 respectively), still require priority treatment given their potential for system compromise.

The analysis below provides a detailed review of all published security notes, covering exploitation mechanisms, recommended remediation actions and available temporary workarounds for critical and high-severity vulnerabilities. This documentation has been prepared to support decisions on prioritising the patching process in production SAP environments.

Critical priority

SAP Note: 3660659

Title: Security Hardening for Insecure Deserialization in SAP NetWeaver AS Java

CVE: CVE-2025-42944

Product: SAP NetWeaver AS Java

Version: SERVERCORE 7.50

Priority: Critical

CVSS: 10.0

Cause

The cause of the issue is insecure deserialisation of JDK objects and third-party classes, which is not restricted by default in SAP NetWeaver AS Java. The system becomes vulnerable to remote code execution when specially crafted data is deserialised by the AS Java runtime environment.

Recommended remediation

To resolve this issue, a security patch must be applied that blocks insecure JDK and third-party classes in SAP NetWeaver AS Java. The system should be updated to the latest available patch for SERVERCORE 7.50 - the patch includes a configuration fix that prevents insecure deserialisation within the SAP NetWeaver AS Java runtime environment.

SAP Note: 3634501 (Update)

Title: Update - Insecure Deserialization vulnerability in SAP Netweaver (RMI-P4)

Product: SAP NetWeaver AS Java

Version: SERVERCORE 7.50

Priority: Critical

CVSS: 10.0

Cause

The source of the problem is faulty handling of deserialisation of malicious Java objects in the RMI-P4 component of the SAP NetWeaver platform. The attack can be carried out by an unauthenticated third party by transmitting specially crafted code to an accessible network port, resulting in the ability to execute commands at operating system level while compromising the confidentiality, integrity and availability of the application.

Resolution:

The issue has been resolved by updating the P4-Lib component to enforce secure deserialisation handling and restrict the acceptance of untrusted Java objects by the RMI-P4 module. The system should be updated to the latest patch for SERVERCORE 7.50.

Temporary workaround: At network level, the P4/P4S ports should be isolated so that they are not accessible from the external network.

SAP Note: 3630595

Title: Directory Traversal vulnerability in SAP Print Service

CVE: CVE-2025-42937

Product: SAP Print Service

Version: SAPSPRINT 8.00, 8.10

Priority: Critical

CVSS: 9.8

Cause:

The cause of the issue is insufficient validation of path information entered by users in SAP Print Service (SAPSprint). The lack of controls allows an unauthenticated attacker to access parent directories and potentially overwrite system files.

Resolution:

The only effective solution is to apply the official SAP patch - an update to the latest available version is required for the SAPSPRINT 8.00 and 8.10 components. No workaround is available in this case.

SAP Note: 3647332

Title: Unrestricted File Upload Vulnerability in SAP Supplier Relationship Management

CVE: CVE-2025-42910

Product: SAP Supplier Relationship Management

Version: SRMNXP01 100, 150

Priority: Critical

CVSS: 9.0

Cause:

The cause of the issue is a lack of verification of the type or content of uploaded files in SAP Supplier Relationship Management, which allows an attacker to upload arbitrary files, including executable files containing potential malware, which may then be downloaded and executed by system users.

Resolution:

The only available solution is to implement SAP Note 3647332 - [CVE-2025-42910] Unrestricted File Upload Vulnerability in SAP Supplier Relationship Management.

High priority

SAP Note: 3664466

Title: Denial of service (DOS) in SAP Commerce Cloud (Search and Navigation)

CVE: CVE-2025-5115

Product: SAP Commerce Cloud

Version: HY_COM 2205, COM_CLOUD 2211, 2211-JDK21

Priority: High

CVSS: 7.5

Cause:

The cause of the issue is the use of a vulnerable version of the Jetty server in the Search and Navigation component of SAP Commerce Cloud, which allows malicious clients to send malformed HTTP/2 frames, leading to potential stream resets and excessive server resource consumption within a short time.

Resolution:

SAP Commerce resolves this vulnerability by updating the Jetty server’s http2-common library to the latest version. The system should be updated to one of the following minimum patch versions:

· SAP Commerce Cloud Patch Release 2211-jdk21.2

· SAP Commerce Cloud Patch Release 2211.45

· SAP Commerce Cloud Patch Release 2205.43

SAP Note: 3658838

CVE: CVE-2025-48913

Title: Security Misconfiguration vulnerability in SAP Data Hub Integration Suite

Product: SAP Data Hub Integration Suite

Version: CX_DATAHUB_INT_PACK 2205

Priority: High

CVSS: 7.1

Cause:

The cause of the issue is the use of a vulnerable version of the Apache CXF 3.5.1 libraries with JMS/JNDI configuration in SAP Data Hub Integration Suite, which allows an unauthenticated user to configure JMS and supply malicious RMI/LDAP endpoints, potentially leading to code execution and a high impact on the confidentiality, integrity and availability of the application.

Resolution:

SAP Data Hub Integration Suite resolves the vulnerability by updating Apache CXF to version 3.6.8, which is not affected by CVE-2025-48913. The system should be updated to the latest Datahub Integration Extension Pack version CX_DATAHUB_INT_PACK 2205, which includes improved components:

· cxf-core-3.6.8

· cxf-rt-bindings-soap-3.6.8

· cxf-rt-bindings-xml-3.6.8

· cxf-rt-databinding-jaxb-3.6.8

· cxf-rt-frontend-jaxws-3.6.8

· cxf-rt-frontend-simple-3.6.8

· cxf-rt-transports-http-3.6.8

· cxf-rt-wsdl-3.6.8

Medium and low priority

Below is a list of the remaining security notes rated medium and low priority:

SAP Note 3503138 (Update) | CVE-2025-0059 SAP NetWeaver Application Server ABAP | CVSS: 6.0 Information Disclosure vulnerability Versions: KERNEL 7.53-9.14

SAP Note 3652788 | CVE-2025-42901 SAP Application Server for ABAP (BAPI Browser) | CVSS: 5.4 Code Injection vulnerability Versions: SAP_BASIS 700-816

SAP Note 3642021 | CVE-2025-42908 SAP NetWeaver Application Server for ABAP | CVSS: 5.4 Cross-Site Request Forgery (CSRF) vulnerability Versions: KERNEL 7.53-9.16

SAP Note 3634724 | CVE-2025-42906 SAP Commerce Cloud | CVSS: 5.3 Directory Traversal vulnerability Versions: COM_CLOUD 2211

SAP Note 3627308 | CVE-2025-42902 SAP NetWeaver AS ABAP and ABAP Platform | CVSS: 5.3 Memory Corruption vulnerability Versions: KERNEL 7.22-9.16

SAP Note 3625683 | CVE-2025-42939 SAP S/4HANA | CVSS: 4.3 Missing Authorization Check (Bank Statements Processing Rules) Versions: S4CORE 104-109

SAP Note 3577131 (Update) | CVE-2025-31331 SAP NetWeaver | CVSS: 4.3 Authorization Bypass vulnerability Versions: SAP_ABA 700-75I

SAP Note 3656781 | CVE-2025-42903 SAP Financial Service Claims Management | CVSS: 4.3 User Enumeration and Sensitive Data Exposure via RFC Versions: INSURANCE 803-806, S4CEXT 107-109

SAP Note 3617142 | CVE-2025-31672 SAP BusinessObjects | CVSS: 3.5 Deserialization Vulnerability (Web Intelligence and Platform Search) Versions: ENTERPRISE 430, 2025, 2027

SAP Note 3643871 | CVE-2025-42909 SAP Cloud Appliance Library Appliances | CVSS: Not specified Security Misconfiguration vulnerability Versions: TITANIUM_WEBAPP 4.0

Summary and strategic recommendations

The SNOK team supports its clients in the comprehensive implementation of SAP security patches, offering dedicated analysis, prioritisation and deployment services for critical updates in production environments. October’s SAP Security Patch Day requires immediate organisational mobilisation given the identification of 17 security notes, including four rated at the highest critical priority with a CVSS score of 10.0, which pose a direct threat to business continuity and the integrity of business data. Over the next 48-72 hours, organisations must carry out a comprehensive inventory of their SAP assets, paying particular attention to SAP NetWeaver AS Java components on version SERVERCORE 7.50, while simultaneously initiating emergency update procedures for critical systems and applying the available temporary workaround for SAP Note 3634501. The current situation highlights the need for fundamental changes in the approach to SAP security management - organisations should consider implementing automated vulnerability monitoring systems, establishing dedicated SAP Security Response teams and developing rapid-response procedures for critical security vulnerabilities, since the potential consequences of failing to implement critical patches include full takeover of SAP systems, loss of confidential corporate data and prolonged disruption to operations, which, in the context of growing compliance requirements and increased cybercriminal activity, may result in irreversible reputational and financial losses.

Tematy: Safe Tuesday sap-security SAP S/4HANA

Get in touch