SAP’s October Security Patch Day lands with several issues that demand rapid triage, from a critical remote code execution path in NetWeaver AS Java to an unauthenticated directory traversal in SAPSprint and multiple fixes across SAP Commerce, S/4HANA, and BusinessObjects. Security teams should prioritize Internet‑facing services and kernel‑level updates, then work through application‑layer items with targeted mitigations and regression testing.
Critical Priority Notes
CVE‑2025‑42944 – NetWeaver AS Java (RMI‑P4) | Insecure Deserialization
Priority
CVSS
Security Impact
Critical
10.0
Unauthenticated RCE via P4/P4S. Patch the P4 libraries and restrict exposure of P4 ports; companion hardening note adds JVM deserialization filters.
Breakdown of Security Impact of CVE‑2025‑42944
Unauthenticated attackers can send malicious objects to P4/P4S to execute OS‑level commands, with full confidentiality, integrity, and availability impact. SAP patches the affected P4 libraries and advises network‑level isolation of P4/P4S as an interim measure. Apply the listed ServerCore patches; the note was re‑released in October with additional guidance and cross‑references.
Advisory for CVE‑2025‑42944 | AS Java – Security Hardening for Deserialization
This companion note blocks known dangerous classes and provides a jdk.serialFilter parameter you can set via NWA or ConfigTool to restrict deserialization. Treat it as additive hardening alongside the RMI‑P4 patch; prerequisites include JVM > 8u121 and review of SCA dependencies before update.
CVE‑2025‑42937 – SAPSPRINT | Directory Traversal
Priority
CVSS
Security Impact
Critical
9.8
An unauthenticated network attacker can traverse directories and overwrite system files; no workaround; apply SAPSPRINT patches.
Security Implications of CVE‑2025‑42937
Insufficient path validation allows unauthenticated, remote directory traversal and potential overwrite of system files. There is no workaround; deploy the SAPSPRINT updates for supported versions as indicated
Low‑privilege user can upload arbitrary files (UI interaction required); implement MIME/extension validation fix.
Security Implications of (CVE‑2025‑42910)
In SRM Shopping Cart (SRM‑UIA‑SHP‑BD), a low‑privileged authenticated user can upload arbitrary files; exploitation requires user interaction but has high impact (S:C). The fix enforces MIME type and extension checks; no workaround is provided.
SAP Commerce Cloud (Search & Navigation) – HTTP/2 DoS (CVE‑2025‑5115)
Priority
CVSS
Security Impact
High
7.5
Jetty HTTP/2 flaw enables resource exhaustion; upgrade to the specified Commerce patch releases.
Security Implications of CVE‑2025‑5115
Crafted HTTP/2 streams can force excessive server resource use. SAP delivers updated Jetty libraries in Commerce patch releases (2211‑jdk21.2, 2211.45, 2205.43); rebuild and redeploy after patching.
CVE‑2025‑48913 – Data Hub Integration Suite – JMS/JNDI Misconfiguration via Apache CXF
Priority
CVSS
Security Impact
High
7.1
If JMS settings can be altered and outbound RMI/LDAP is allowed, attacker‑guided endpoints could trigger code execution; upgrade CXF to 3.6.8 and apply the listed extension pack.
Security Implications of CVE‑2025‑48913
Using Apache CXF 3.5.1 with JMS/JNDI can let an unauthenticated user direct the system to malicious RMI/LDAP endpoints, potentially leading to code execution (adjacent network; high complexity; UI required). Mitigate by upgrading to CXF 3.6.8 and deploying the SAP Commerce Integration Extension Pack 2205.17.
Medium Priority Notes
CVE‑2025‑0059 – NetWeaver AS ABAP (SAP GUI for HTML)
Client‑side input history stored in browser storage can be read by an OS‑level attacker with high privileges; SAP updated the workaround guidance and plans an encryption‑based solution. To reduce risk now, disable input history or shorten data aging in the service configuration.
CVE‑2025‑42908 – NetWeaver AS ABAP | CSRF via Session Manager
Priority
CVSS
Notes
Title
Security Impact
Medium
5.4
CVE‑2025‑42908
NetWeaver AS ABAP – CSRF via Session Manager
Inconsistent handling of CSRF protection and ‘skip first screen’ parameters allows low‑privilege users to trigger transactions without the usual first‑screen checks. Apply the listed kernel patches; no separate workaround beyond patching is required.
CVE‑2025‑42902 – NetWeaver AS ABAP | Memory Corruption in Ticket Verification
Priority
CVSS
Notes
Title
Security Impact
Medium
5.3
CVE‑2025‑42902
NetWeaver AS ABAP – Memory Corruption in Ticket Verification
Malformed SAP Logon/Assertion tickets can cause a null‑pointer dereference and work process crash (unauthenticated DoS). Patch the kernel; as a temporary workaround, you can disable acceptance of SSO2 tickets (login/accept_sso2_ticket=0) noting potential impact to SSO integrations.
Missing input validation in the BAPI Browser (BAPI Explorer) lets low‑privileged users store JavaScript that executes in another user’s browser. The fix validates and escapes input; deploy the provided correction instructions or support packages.
A low‑privilege authenticated attacker could delete conditions from shared rules by tampering with a request parameter, compromising data integrity. SAP adds the missing authorization check; implement the correction instructions for S4CORE.
CVE‑2025‑42903 – Financial Services Claims Management | User Enumeration via RFC
Priority
CVSS
Notes
Title
Security Impact
4.3
Medium
CVE‑2025‑42903
Financial Services Claims Management – User Enumeration via RFC
A remote‑enabled function module returns different responses based on user existence, enabling account enumeration by low‑privileged users with RFC access. SAP now enforces authorization checks and returns uniform errors to block enumeration.
CVE‑2025‑42906 – Commerce Cloud | Admin Console Path Traversal/Isolation Gap
Priority
CVSS
Notes
Title
Security Impact
5.3
Medium
CVE‑2025‑42906
Commerce Cloud – Admin Console Path Traversal/Isolation Gap
Insufficient isolation and checks may expose the Administration Console via endpoints where it isn’t explicitly deployed. SAP provides steps to host HAC on a separate virtual host (Tomcat) and to secure the internal endpoint.
Low Priority Notes
Insufficient isolation and checks may expose the Administration Console via endpoints where it isn’t explicitly deployed. SAP provides steps to host HAC on a separate virtual host (Tomcat) and to secure the internal endpoint.
CVE‑2025‑31672 | BusinessObjects Web Intelligence and Platform Search | Apache POI Deserialization
Priority
CVSS
Notes
Title
Security Impact
3.5
Low
CVE‑2025‑31672
BusinessObjects Web Intelligence and Platform Search – Apache POI Deserialization
A vulnerable POI version could mishandle Excel files, allowing limited metadata manipulation (integrity only). Update to the secure POI version delivered in the referenced support packages.
BusinessObjects Web Intelligence Cloud Appliance Library | S/4HANA Appliance Misconfiguration
Older CAL templates (created before July 20, 2025) may inherit S/4HANA defaults that enable SSO2 ticket use across appliances. SAP’s manual activity disables SSO2 ticketing and regenerates SYSTEM PSE (STRUST) to prevent cross‑appliance access.
(CVE‑2025‑31331) – Revised | NetWeaver – Authorization Bypass in Technical Application Support
Priority
CVSS
Notes
Title
Security Impact
4.3
Low
CVE‑2025‑31331
BusinessObjects NetWeaver – Authorization Bypass in Technical Application Support
An authorization check applied at the wrong stage lets low‑privileged users view ABAP code via a specific transaction. SAP adds an additional check and narrows result display; October’s re‑release updates correction instructions
.
Trends and Insights
Deserialization remains the major risk. The P4/RMI chain continues to drive critical exposure in AS Java, with SAP issuing both a direct fix and a hardened JVM configuration to reduce gadget‑class abuse.
Kernel and ticketing defenses should be a focus for security teams. Multiple kernel notes touch session handling and ticket validation, underscoring the need to keep ABAP kernels current and to revisit SSO2 dependencies before enabling temporary workarounds.
Third‑party library hygiene is a must. Jetty (HTTP/2), Apache CXF (JMS/JNDI), and Apache POI updates highlight supply‑chain upkeep in SAP Commerce, Data Hub, and BI stacks-patching here directly lowers your blast radius from upstream issues.
Classic web risks persist in business apps. File upload validation (SRM), path traversal (SAPSprint; Commerce HAC), and missing auth checks (S/4HANA FI; Claims RFC) remind teams to monitor ‘low‑privilege + network’ patterns that can pivot into data tampering or lateral movement.
Pathlock Security Insights
October 2025 releases – critical middleware, kernel fixes, and library updates-requires continuous monitoring and automated patch prioritization.
Identify applicable SAP notes and misconfigurations with automated vulnerability checks,
Detect exploitation attempts across 70+ SAP log sources with ready‑made threat rules, and
Enforce granular, attribute‑based access to reduce business impact while changes roll out.
Code scanning and transport control further prevent risky customizations from reaching production.
Conclusion
Patch the AS Java RMI‑P4 stack and implement the deserialization hardening without delay, then move to SAPSprint and the Commerce/Data Hub items to shrink external attack surface. After kernel and component updates, run regression tests on integration and SSO flows and keep an eye on exploitation telemetry-especially around P4 exposure, HTTP/2 traffic spikes, and upload/print paths. Document mitigations where patches require scheduling, and monitor for deviations until updates are fully deployed.
Pathlock Recognized in the 2025 Gartner® Market Guide for Identity Governance and Administration
