
SAP Security Patch Day – October 2025
Chapters
Share Article
Let's Talk SAP Security
Have questions about SAP Security? We’re here to help. Contact Us

This October’s SAP Security Patch Day, SAP issued 23 Security Notes (including earlier updates to existing notes). The steadily higher number of notes has become the norm, underscoring both the importance of security patches and the need for strong process controls. We’re also seeing the impact of SAP’s expanding suite of solutions: as the portfolio grows, so does the scope of security patches. Gone are the days when notes focused mainly on ABAP or Java systems! While those remain important, patches for BusinessObjects, SAP Commerce Cloud, and various other system types now feature prominently and deserve the same level of attention.
For most SAP landscapes, patching is anything but simple. Complex architectures, interdependent systems, and a mix of components make the work slow and error-prone—so it’s easy to miss a critical update, with serious consequences.
SecurityBridge knows these challenges inside out. Our SecurityBridge Patch Management solution addresses these challenges head-on: it identifies missing patches across your SAP environment, and provides visibility, detailed impact analysis, and automated deployment. With a centralized overview, it streamlines patching, shortens implementation timelines, and strengthens your SAP landscape against both current and emerging threats. And when immediate patching isn’t feasible, enhanced detection becomes essential.
Security notes - October 2025
HotNews
Let’s start with HotNews, the highest-priority category. There are six notes in total—three newly released today and three updates.
Note 3634501 carries the maximum CVSS score (10) and was first published last month. Since then, it has been updated several times:
- The primary guidance remains unchanged: apply the patch.
- The workaround section now provides further clarification on how to isolate the P4/P4S ports.
Due to the severity of deserialization issues on the AS Java stack, note 3660659 introduces detailed hardening steps to prevent such problems. These measures are recommended in addition to the specific fix in note 3634501 and may require extensive updates to the software stack and configuration. Plan for significant maintenance on AS Java systems, depending on your software level. See also the FAQ note 3663688 for detailed Q&As.
Note 3630595 addresses a vulnerability in SAPSprint (used for remote printing on Microsoft Windows) that could be exploited to overwrite system files on the print server. Refer to FAQ note 3636888 for more information.
Note 3647332 concerns a common vulnerability (arbitrary file upload) —this time in an SAP SRM system. The only resolution is to apply the SRM patch; no workaround is available.
Notes 3643865 and 3302162 are existing HotNews items with only minor textual updates; no customer action is required.
High-Priority Notes
While High-priority notes are a step below HotNews in criticality, they are still important. Two notes fall into this category:
Note 3664466 and 3658838 have been newly released and again demonstrate vulnerabilities that exist because of underlying third-party libraries.
Note 3664466 describes the risk of a Denial of Service (DOS) attack in SAP Commerce Cloud because of a vulnerable version of Jetty (a common open-source web server). Patch releases are available, as well as instructions regarding the type of Commerce Cloud in use.
Note 3658838 describes how the SAP Datahub integration suite can be configured for malicious behavior because of used Apache CFX libraries. Use the updated extension pack.
Medium- and Low-Priority Notes
This Patch Tuesday, 15 notes fall into the Medium or Low categories. These are a mix of new and updated notes. Highlights include:
- Note 3635587, 3643832, 3503138, 3577131, and 3623504 have been released with updated correction instructions, workaround instructions and the like. Double-check the validity of these updates for your system landscape!
- Note 3642021 and 3627308 require a kernel update on ABAP systems.
- Note 3634724 describes how the ‘Administration Console’ can be isolated and run on a separate virtual host for SAP Commerce Cloud. This is to prevent Directory Traversal vulnerabilities. Various deployment options are presented and require manual actions accordingly.
- Note 3643871 concerns the SAP Cloud Appliance Library (CAL), which we don’t often see and is probably easily left out of scope for security issues. Despite this note’s low priority, double-check if CAL is in use.
SAP Security Notes October 2025
Highlights
Critical updates and recommendations for the SAP Java stack.
Summary by Severity
The October release contains a total of 23 patches for the following severities:
Severity | Number | Hot News | 6 |
---|---|
High | 2 |
Medium | 13 |
Low | 2 |
Note | Description | Severity | CVSS |
---|---|---|---|
3634501 | [CVE-2025-42944] Insecure Deserialization vulnerability in SAP Netweaver (RMI-P4) Priority: HotNews Released on: 9/9/25 Components: BC-JAS-COR-RMT Category: Program error | Hot News | 10.0 |
3660659 | [CVE-2025-42944] Security Hardening for Insecure Deserialization in SAP NetWeaver AS Java Priority: HotNews Released on: 10/14/25 Components: BC-JAS-COR Category: Program error | Hot News | 10.0 |
3643865 | [CVE-2025-42922] Insecure File Operations vulnerability in SAP NetWeaver AS Java (Deploy Web Service) Priority: HotNews Released on: 9/9/25 Components: BC-JAS-DPL Category: Program error | Hot News | 9.9 |
3630595 | [CVE-2025-42937] Directory Traversal vulnerability in SAP Print Service Priority: HotNews Released on: 10/14/25 Components: BC-CCM-PRN Category: Program error | Hot News | 9.8 |
3302162 | [CVE-2023-27500] Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform Priority: HotNews Released on: 3/14/23 Components: BC-DOC-RIT Category: Program error | Hot News | 9.6 |
3647332 | [CVE-2025-42910] Unrestricted File Upload Vulnerability in SAP Supplier Relationship Management Priority: HotNews Released on: 10/14/25 Components: SRM-UIA-SHP-BD Category: Program error | Hot News | 9.0 |
3664466 | [CVE-2025-5115] Denial of service (DOS) in SAP Commerce Cloud (Search and Navigation) Priority: Correction with high priority Released on: 10/14/25 Components: CEC-SCC-COM-SRC-SER Category: Program error | High | 7.5 |
3658838 | [CVE-2025-48913]Security Misconfiguration vulnerability in SAP Data Hub Integration Suite Priority: Correction with high priority Released on: 10/14/25 Components: CEC-SCC-INT-HUB Category: Program error | High | 7.1 |
3635587 | [CVE-2025-42912] Missing Authorization check in SAP HCM (My Timesheet Fiori 2.0 application) Priority: Correction with medium priority Released on: 9/9/25 Components: PA-FIO-TS Category: Program error | Medium | 6.5 |
3643832 | [CVE-2025-42917] Missing Authorization check in SAP HCM (Approve Timesheets Fiori 2.0 application) Priority: Correction with medium priority Released on: 9/9/25 Components: PA-FIO-TS Category: Program error | Medium | 6.5 |
3503138 | [CVE-2025-0059] Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML) Priority: Correction with medium priority Released on: 1/14/25 Components: BC-FES-WGU Category: Program error | Medium | 6.0 |
3409013 | [CVE-2025-42915] Missing Authorization Check in Fiori app (Manage Payment Blocks) Priority: Correction with medium priority Released on: 9/9/25 Components: FI-FIO-AP-PAY Category: Program error | Medium | 5.4 |
3642021 | [CVE-2025-42908] Cross-Site Request Forgery (CSRF) vulnerability in SAP NetWeaver Application Server for ABAP Priority: Correction with medium priority Released on: 10/14/25 Components: BC-ABA-SC Category: Program error | Medium | 5.4 |
3652788 | [CVE-2025-42901] Code Injection vulnerability in SAP Application Server for ABAP (BAPI Browser) Priority: Correction with medium priority Released on: 10/14/25 Components: BC-MID-API Category: Program error | Medium | 5.4 |
3627308 | [CVE-2025-42902] Memory Corruption vulnerability in SAP Netweaver AS ABAP and ABAP Platform Priority: Correction with medium priority Released on: 10/14/25 Components: BC-SEC-LGN Category: Program error | Medium | 5.3 |
3634724 | [CVE-2025-42906] Directory Traversal vulnerability in SAP Commerce Cloud Priority: Correction with medium priority Released on: 10/14/25 Components: CEC-SCC-PLA-PL Category: Program error | Medium | 5.3 |
3577131 | [CVE-2025-31331] Authorization Bypass vulnerability in SAP NetWeaver Priority: Correction with medium priority Released on: 4/8/25 Components: CA-GTF-TS-GMA Category: Program error | Medium | 4.3 |
3656781 | [CVE-2025-42903] User Enumeration and Sensitive Data Exposure via RFC Function in SAP Financial Service Claims Management Priority: Correction with medium priority Released on: 10/14/25 Components: FS-CM Category: Program error | Medium | 4.3 |
3625683 | [CVE-2025-42939] Missing Authorization Check in SAP S/4HANA (Manage Processing Rules - For Bank Statements) Priority: Correction with medium priority Released on: 10/14/25 Components: FI-FIO-AR-PAY Category: Program error | Medium | 4.3 |
3623504 | [CVE-2025-42918] Missing Authorization check in SAP NetWeaver Application Server for ABAP (Background Processing) Priority: Correction with medium priority Released on: 9/9/25 Components: BC-CCM-BTC Category: Program error | Medium | 4.3 |
3540622 | [CVE-2025-42907] Server-Side Request Forgery in SAP BI Platform Priority: Correction with medium priority Released on: 9/23/25 Components: BI-BIP-SRV Category: Program error | Medium | 4.3 |
3617142 | [CVE-2025-31672] Deserialization Vulnerability in SAP BusinessObjects (Web Intelligence and Platform Search) Priority: Correction with low priority Released on: 10/14/25 Components: BI-RA-WBI Category: Program error | Low | 3.5 |
3643871 | [CVE-2025-42909] Security Misconfiguration vulnerability in SAP Cloud Appliance Library Appliances Priority: Correction with low priority Released on: 10/14/25 Components: BC-VCM-CAL Category: Program error | Low | 3.0 |