SAP Security Patch Day – October 2025
On October 14, 2025, SAP released 13 new Security Notes as part of its monthly Security Patch Day, along with 4 updates to previously released notes. This month’s release continues the high-severity threat landscape observed in September, featuring 4 Critical-severity vulnerabilities with CVSS scores ranging from 9.0 to 10.0, 2 High-severity issues (CVSS 7.1–7.5), 9 Medium-severity problems (CVSS 4.3–6.0), and 2 Low-severity vulnerabilities (CVSS 3.0–3.5). The focus remains centered on deserialization attacks, directory traversal vulnerabilities, and authorization control failures, with several notes addressing the same critical deserialization flaw from September that continues to pose significant risks to enterprise deployments.
Key Highlights by Severity
Critical Priority (CVSS 10.0)
The most severe vulnerability this month represents a critical security hardening measure for insecure deserialization in SAP NetWeaver AS Java. This note blocks vulnerable JDK and third-party classes in the AS Java runtime and provides additional protection for the critical RMI-P4 deserialization vulnerability released in September. The vulnerability enables unauthenticated attackers to achieve remote code execution through specially crafted input deserialized by the AS Java runtime, affecting SERVERCORE 7.50 across multiple support package levels.
A complementary update to September’s critical RMI-P4 deserialization vulnerability was also released, enhancing the original fix with additional hardening measures and updated workaround instructions. This reflects SAP’s continued efforts to strengthen defenses against one of the most severe threats in the current SAP security landscape.
Critical Priority (CVSS 9.8)
- A directory traversal vulnerability in SAP Print Service allows unauthenticated attackers to traverse to parent directories and overwrite system files. The vulnerability stems from insufficient validation of path information provided by users, causing high impact on confidentiality, integrity, and availability of the application. This affects SAPSPRINT versions 8.00 and 8.10.
Critical Priority (CVSS 9.0)
- An unrestricted file upload vulnerability in SAP Supplier Relationship Management enables authenticated attackers to upload arbitrary files, including executables that could host malware. Due to missing verification of file type or content, attackers can achieve high impact on confidentiality, integrity, and availability of the application. This vulnerability affects SRMNXP01 versions 100 and 150.
Critical Priority (CVSS 7.5)
- A denial of service vulnerability in SAP Commerce Cloud’s Search and Navigation component stems from a flaw in the HTTP/2 protocol within the Jetty library. Malicious clients can open streams and send crafted requests that cause the server to reset streams and consume excessive resources, creating high availability impact. This affects HY_COM 2205 and COM_CLOUD 2211 versions.
High Priority (CVSS 7.1)
A security misconfiguration vulnerability in SAP Data Hub Integration Suite allows authenticated attackers with basic privileges to delete conditions from shared rules by tampering with request parameters. The missing authorization check enables manipulation of shared rule conditions that should be restricted, compromising system integrity.
Key Affected Components
SAP NetWeaver (Multiple Components): 5 security notes affecting various modules including AS Java, Application Server for ABAP, and ABAP Platform components, demonstrating continued infrastructure vulnerabilities across the core platform.
SAP S/4HANA: 2 security notes addressing missing authorization checks in bank statement processing rules and purchase contract management, highlighting persistent authorization control challenges in enterprise resource planning systems.
SAP Commerce Cloud: 2 security notes targeting denial of service in Search and Navigation and directory traversal vulnerabilities, emphasizing risks in customer-facing commerce platforms.
SAP Business Applications: 4 security notes affecting Print Service, Supplier Relationship Management, Financial Service Claims Management, and BusinessObjects Business Intelligence Platform, showing the breadth of vulnerabilities across diverse business applications.
Other Enterprise Components: Notes spanning Data Hub Integration Suite and Cloud Appliance Library Appliances, indicating security challenges across cloud-enabled SAP solutions.
Notable Trends
Deserialization Threat Persistence:
October features two critical notes with CVSS 10.0 scores, both addressing the same deserialization vulnerability in SAP NetWeaver AS Java. The release of a dedicated security hardening note alongside an update to September’s critical fix demonstrates the ongoing severity and complexity of this threat vector.
Authorization Control Challenges:
Multiple vulnerabilities stem from missing authorization checks or insufficient validation, particularly in S/4HANA and Data Hub components, indicating systemic access control weaknesses across SAP’s enterprise application portfolio.
Update Pattern Continuation:
4 updates to previous notes from January, April, June, and September releases show ongoing refinements to critical fixes. Notably, the September deserialization vulnerability received significant updates, emphasizing its critical importance.
Directory Traversal Focus:
Two critical vulnerabilities involve directory traversal attacks, affecting SAP Print Service and SAP Commerce Cloud, highlighting path validation as a recurring weakness in SAP products.
File Handling Vulnerabilities:
Both directory traversal and unrestricted file upload vulnerabilities demonstrate that file operation security remains a significant challenge across SAP’s product landscape.
Cross-Product Exposure:
Vulnerabilities span from infrastructure components to business applications and cloud services, requiring comprehensive patching strategies across heterogeneous SAP environments.
The botton line
October’s SAP Security Patch Day highlights a continued high-threat environment requiring immediate action across all SAP landscapes. Organizations should prioritize patching the four critical vulnerabilities, including both CVSS 10.0 deserialization flaws in NetWeaver AS Java and the critical directory traversal vulnerability in SAP Print Service.
Enhanced monitoring for AS Java deserialization attempts, Print Service path traversal attacks, and unusual file upload activities across SRM systems are essential. A review of authorization structures across S/4HANA and Data Hub implementations is necessary to address persistent missing authorization check vulnerabilities.
The combination of new critical vulnerabilities, updates to September’s deserialization flaw, and broad exposure of core NetWeaver components underscores that traditional perimeter defenses alone may not be sufficient. Effective SAP security requires coordinated patching and proactive monitoring across heterogeneous systems, with particular attention to security hardening measures for AS Java environments.
At Vicxer, our SAP security experts streamline vulnerability management with real-time monitoring and tailored remediation strategies. Safeguard your landscape against evolving threats. Contact us today to fortify your SAP environment.
You must be logged in to post a comment.