SAP Patchday in October: SAP Patches Security Vulnerabilities

For the monthly Patchday, SAP has released a series of updates along with associated security advisories as usual. Two of the newly fixed vulnerabilities were rated critical and two more with the classification "High".

IT security officers should promptly apply the available updates listed on SAP's overview page. In addition, it is also worthwhile to look at the additions that the company has made to some older security advisories.

Seal Print Service and SRM quickly

SAP's Print Service (CVE-2025-42937, CVSS score 9.8) and Supplier Relationship Management (CVE-2025-42910, 9.0) are affected by critical vulnerabilities. The former vulnerability could be exploited for directory and file access (Directory Traversal) to overwrite system files, for example. The latter is based on missing file upload restriction mechanisms (Unrestricted File Upload Vulnerability). Attackers could exploit it to upload arbitrary malicious files (e.g., malware).

SAP's security advisory for the vulnerability CVE-2025-42944 in NetWeaver AS Java with the highest possible CVSS score of 10.0 received an update. The entry point based on insecure deserialization was previously addressed with the September updates; that it is being addressed again now indicates the urgency of the associated fixes and information. The vulnerability can be used to inject arbitrary code.

High-Risk Vulnerabilities and Further Information

Vulnerabilities rated "High" are found in SAP Commerce Cloud (Denial-of-Service; CVE-2025-5115, 7.5) and in Data Hub Integration Suite (Security Misconfiguration; CVE-2025-48913, 7.1).

Vulnerabilities of medium and low severity affect, among others, Application Server for ABAP, Commerce Cloud, SAP S/4HANA, Financial Service Claims Management, Business Objects, and Cloud Appliance Library Appliances. Further information on this can be found in SAP's overview of the October Patchday.

(ovw)