SAP October 2025 security patch fixes 13 new security flaws, at least two critical

SAP has released the October 2025 Security Patch Day update, delivering 13 new security notes and 4 updates to previously released security notes for vulnerabilities across its software portfolio. The patch release includes fixes for multiple critical-severity flaws. The most severe being a continuation of efforts to harden SAP NetWeaver Application Server Java against an insecure deserialization vulnerability, tracked as CVE-2025-42944.

Vulnerabilities summary

• CVE-2025-42944 (CVSS score 10.0) - Security Hardening for Insecure Deserialization in SAP NetWeaver AS Java: This security note provides additional hardening measures for a critical insecure deserialization vulnerability in the RMI-P4 (Remote Method Invocation - Proprietary Protocol 4) module that was initially patched in September 2025. The October update adds protections by implementing a JVM-wide BlocklistFilter that prevents known vulnerable Java classes from being deserialized during RMI-P4 operations.
• CVE-2025-42937 (CVSS score 9.8) - Directory Traversal Vulnerability in SAP Print Service: This flaw affects SAP Print Service versions SAPSPRINT 8.00 and 8.10, allowing unauthenticated remote attackers to manipulate files outside of intended directories. Attackers can exploit this vulnerability to overwrite critical system files, leading to complete compromise.
• CVE-2025-42910 (CVSS score 9.0) - Unrestricted File Upload Vulnerability in SAP Supplier Relationship Management: This vulnerability affects SAP SRM versions SRMNXP01 100 and 150, enabling authenticated users to upload arbitrary files including executables containing malware. Once uploaded, these malicious files can be executed to achieve complete system takeover. The vulnerability requires only low-privilege authentication, making it accessible to a wide range of potential attackers within the organization.
• CVE-2025-5115 (CVSS score 7.5) is a denial-of-service vulnerability in SAP Commerce Cloud affecting versions HY_COM 2205, COM_CLOUD 2211, and COM_CLOUD 2211-JDK21 in the Search and Navigation component.
• CVE-2025-48913 (CVSS score 7.1) is a security misconfiguration vulnerability in SAP Data Hub Integration Suite version CX_DATAHUB_INT_PACK 2205, which allows attackers on adjacent networks to exploit configuration weaknesses.
• CVE-2025-42901 (CVSS score 5.4), a code injection vulnerability in SAP Application Server for ABAP's BAPI Browser component affecting versions SAP_BASIS 700 through 816;
• CVE-2025-42908 (CVSS score 5.4), a Cross-Site Request Forgery (CSRF) vulnerability in SAP NetWeaver Application Server for ABAP affecting multiple KERNEL versions;
• CVE-2025-42906 (CVSS score 5.3), a directory traversal vulnerability in SAP Commerce Cloud version COM_CLOUD 2211
• CVE-2025-42902 (CVSS score 5.3), a memory corruption vulnerability in SAP Netweaver AS ABAP and ABAP Platform

Four of the October 2025 security notes are updates to previously released patches from earlier in the year. 

• Security Note 3634501 updates the September 2025 patch for CVE-2025-42944 (CVSS score 10.0). This updated security note complements the initial September 2025 patch by adding references to the newly released hardening recommendations and updating workaround descriptions. The update clarifies that the SAP Web Dispatcher does not pass through P4/P5 protocols and is therefore not vulnerable to this attack vector. The note provides enhanced guidance on implementing jdk.serialFilter configurations to block deserialization of dangerous classes as an additional layer of defense.
• Security Note 3503138 updates the January 2025 patch for CVE-2025-0059 (CVSS score 6.0), an information disclosure vulnerability in SAP NetWeaver Application Server ABAP affecting applications based on SAP GUI for HTML.
• Security Note 3441087 updates the June 2025 patch for CVE-2025-42984 (CVSS score 5.4), a missing authorization check in SAP S/4HANA's Manage Central Purchase Contract application affecting S4CORE versions 106, 107, and 108.
• Security Note 3577131 updates the April 2025 patch for CVE-2025-31331 (CVSS score 4.3), an authorization bypass vulnerability in SAP NetWeaver affecting multiple SAP_ABA versions from 700 through 75I.

The update also fixes additional lower severity flaws:

• CVE-2025-42939 (CVSS 4.3) Missing Authorization Check in SAP S/4HANA (Manage Processing Rules - For Bank Statements)
• CVE-2025-42903 (CVSS 4.3) User Enumeration and Sensitive Data Exposure via RFC Function in SAP Financial Service Claims Management
• CVE-2025-31672 (CVSS 3.5) Deserialization Vulnerability in SAP BusinessObjects (Web Intelligence and Platform Search)
• CVE-2025-42909 (CVSS 3.0) Security Misconfiguration vulnerability in SAP Cloud Appliance Library Appliances

Organizations must ensure they are running Java 8 Update 121 or higher before applying the patches, which are available for Service Pack (SP) 020 through SP035. The security updates modify the MarshalInputStream component to integrate the BlocklistFilter, ensuring all deserialization operations validate objects against a blocklist of known dangerous classes before processing.

Organizations deploying SAP systems should prioritize the October 2025 security updates based on their specific product configurations and exposure levels. Critical flaws and Internet-facing SAP components are a priority. 

After applying patches, administrators should verify that the BlocklistFilter is active by reviewing SAP Java logs and should test that legitimate P4 connections such as those from Solution Manager, System Update Manager (SUM), and Integration Broker continue to function correctly.