Skip links
RedRays - Your SAP Security Solution
Picture of Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

SAP Security on Udemy

SAP Security Patch Day October 2025 – Critical Updates

SAP has released its October 2025 security patch package containing 16 security notes addressing critical vulnerabilities across enterprise SAP environments. This release includes four HotNews vulnerabilities with CVSS ratings up to 10.0, two High priority issues, eight Medium priority fixes, and two Low priority updates. The patches affect NetWeaver AS Java, SAP Commerce Cloud, BusinessObjects, Supplier Relationship Management, and various SAP application components.

Total Security Notes
16
HotNews Critical
4
High Priority
2
Medium Priority
8
Low Priority
2

Executive Summary

  • Maximum Severity Remote Code Execution: CVE-2025-42944 (CVSS 10.0) in NetWeaver RMI-P4 allows unauthenticated attackers to execute arbitrary code through insecure deserialization with complete system compromise.
  • Critical Directory Traversal: CVE-2025-42937 (CVSS 9.8) in SAP Print Service enables unauthenticated remote attackers to manipulate files and compromise system integrity and availability.
  • High-Risk File Upload: CVE-2025-42910 (CVSS 9.0) in Supplier Relationship Management allows authenticated users to upload malicious files leading to complete system takeover.
  • Denial of Service Threats: Multiple DoS vulnerabilities in Commerce Cloud Search and Navigation (CVSS 7.5) and Data Hub Integration Suite (CVSS 7.1) affecting service availability.

Critical HotNews Vulnerabilities

Insecure Deserialization in NetWeaver RMI-P4

10.0 CVE-2025-42944 BC-JAS-COR-RMT Deserialization
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Unauthenticated remote code execution via insecure deserialization in NetWeaver AS Java RMI-P4 component. This maximum severity vulnerability allows attackers to execute arbitrary code without authentication, achieving complete system compromise with full confidentiality, integrity, and availability impact across connected environments.

SAP Note 3634501 and SAP Note 3660659 — emergency patch required immediately.

Directory Traversal in SAP Print Service

9.8 CVE-2025-42937 BC-CCM-PRN Directory Traversal
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Critical directory traversal vulnerability in SAP Print Service allows unauthenticated remote attackers to access and manipulate arbitrary files on the system. Attackers can read sensitive data, modify critical files, and disrupt service availability without requiring any authentication.

SAP Note 3630595 — patch within 24 hours.

Unrestricted File Upload in Supplier Relationship Management

9.0 CVE-2025-42910 SRM-UIA-SHP-BD File Upload
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Unrestricted file upload vulnerability in SAP Supplier Relationship Management allows authenticated attackers with low privileges to upload malicious files. Successful exploitation leads to remote code execution with complete system compromise across connected environments.

SAP Note 3647332 — immediate patching required.

Denial of Service in Commerce Cloud Search

7.5 CVE-2025-5115 CEC-SCC-COM-SRC-SER DoS
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Denial of Service vulnerability in SAP Commerce Cloud Search and Navigation component allows unauthenticated remote attackers to disrupt service availability by consuming system resources or crashing the application.

SAP Note 3664466 — high priority patch within 48 hours.

High Priority Security Issues

Security Misconfiguration in Data Hub Integration Suite

7.1 CVE-2025-48913 CEC-SCC-INT-HUB Misconfiguration
CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Security misconfiguration in SAP Data Hub Integration Suite allows attackers on adjacent networks to exploit configuration weaknesses. With user interaction, attackers can achieve high impact on confidentiality, integrity, and availability.

SAP Note 3658838 — deploy within 7 days.

Information Disclosure in NetWeaver GUI for HTML

6.0 CVE-2025-0059 BC-FES-WGU Info Disclosure
CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Information disclosure vulnerability in SAP NetWeaver Application Server ABAP applications based on SAP GUI for HTML. High-privileged local users can access sensitive information across system boundaries.

SAP Note 3503138 — high priority patch.

Medium Priority Vulnerabilities

Cross-Site Request Forgery in NetWeaver ABAP

5.4 CVE-2025-42908 BC-ABA-SC CSRF
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Cross-Site Request Forgery vulnerability in SAP NetWeaver Application Server for ABAP allows authenticated attackers to perform unauthorized actions on behalf of victims.

SAP Note 3642021 — schedule patch.

Code Injection in ABAP BAPI Browser

5.4 CVE-2025-42901 BC-MID-API Code Injection
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Code injection vulnerability in SAP Application Server for ABAP BAPI Browser component allows authenticated users to inject malicious code.

SAP Note 3652788 — medium priority.

Directory Traversal in Commerce Cloud

5.3 CVE-2025-42906 CEC-SCC-PLA-PL Directory Traversal
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Directory traversal vulnerability in SAP Commerce Cloud allows unauthenticated attackers to access sensitive files outside intended directories.

SAP Note 3634724 — apply patch.

Memory Corruption in NetWeaver AS ABAP

5.3 CVE-2025-42902 BC-SEC-LGN Memory Corruption
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Memory corruption vulnerability in SAP NetWeaver AS ABAP and ABAP Platform can lead to denial of service conditions.

SAP Note 3627308 — maintenance window.

Missing Authorization in S/4HANA Bank Statement Processing

4.3 CVE-2025-42939 FI-FIO-AR-PAY Missing Auth
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Missing authorization check in SAP S/4HANA Manage Processing Rules for Bank Statements Fiori application.

SAP Note 3625683 — apply update.

Authorization Bypass in NetWeaver

4.3 CVE-2025-31331 CA-GTF-TS-GMA Auth Bypass
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Authorization bypass vulnerability in SAP NetWeaver allows authenticated users to access information beyond their authorization level.

SAP Note 3577131 — schedule update.

User Enumeration in Financial Services Claims Management

4.3 CVE-2025-42903 FS-CM User Enumeration
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

User enumeration and sensitive data exposure via RFC function in SAP Financial Service Claims Management.

SAP Note 3656781 — routine update.

Deserialization in BusinessObjects Web Intelligence

3.5 CVE-2025-31672 BI-RA-WBI Deserialization
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Deserialization vulnerability in SAP BusinessObjects Web Intelligence and Platform Search requiring user interaction.

SAP Note 3617142 — apply fix.

Low Priority Security Updates

Security Misconfiguration in Cloud Appliance Library

3.0 CVE-2025-42909 BC-VCM-CAL Misconfiguration
CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N

Security misconfiguration vulnerability in SAP Cloud Appliance Library Appliances with limited confidentiality impact.

SAP Note 3643871 — regular maintenance cycle.

Security Advisory prepared by RedRays Cybersecurity Team

Based on SAP Security Notes published 14 October 2025.

© 2025 RedRays. Test patches in development environments before production deployment.

Explore More