SAP’s October 2025 security update addresses several critical and high-risk vulnerabilities, including two “Hot News” notes for insecure deserialization in SAP NetWeaver AS Java. These patches are crucial for preventing arbitrary OS command execution and protecting system integrity across multiple SAP products.
This advisory summarizes the most significant patches released in October 2025. Key fixes address critical insecure deserialization flaws in SAP NetWeaver AS Java, a high-risk directory traversal vulnerability in SAP Print Service, and an unrestricted file upload issue in SAP Supplier Relationship Management. Additional patches cover denial of service and code execution vulnerabilities in SAP Commerce Cloud and SAP Data Hub Integration Suite, respectively. Applying these updates promptly is essential to safeguard SAP systems from potential exploitation.
Key Takeaways
- Two critical “Hot News” notes (3634501, 3660659) patch insecure deserialization vulnerabilities in SAP NetWeaver AS Java.
- A high-risk directory traversal flaw in SAP Print Service (SAPSprint) was fixed by note 3630595.
- Note 3647332 addresses an unrestricted file upload vulnerability in SAP Supplier Relationship Management.
- Other important fixes were released for SAP Commerce Cloud and SAP Data Hub Integration Suite.
- Workarounds are available for some vulnerabilities but applying the patches is the recommended solution.
October 2025 SAP Security Note Details
| SAP Note | Vulnerability Type | Affected Component | Description |
|---|---|---|---|
| 3634501 | Insecure Deserialization | SAP NetWeaver AS Java | (Hot News) Critical vulnerability allowing arbitrary OS command execution. The patch updates the P4-Lib component. |
| 3660659 | Insecure Deserialization | SAP NetWeaver AS Java | (Hot News) Blocks vulnerable JDK and third-party classes to prevent exploitation. |
| 3630595 | Directory Traversal | SAP Print Service (SAPSprint) | (High Risk) Fixes a flaw that could allow attackers to compromise system files. |
| 3647332 | Unrestricted File Upload | SAP Supplier Relationship Management | Prevents the upload of malicious files by enhancing MIME type and extension checks. |
| 3664466 | Denial of Service | SAP Commerce Cloud | Addresses a DoS vulnerability. |
| 3658838 | Code Execution | SAP Data Hub Integration Suite | Patches a vulnerability from insecure Apache CXF library versions. |
What are the critical insecure deserialization vulnerabilities in AS Java?
SAP released two “Hot News” notes to address critical insecure deserialization vulnerabilities in SAP NetWeaver AS Java.
Note 3634501 patches a flaw that could be exploited by attackers to execute arbitrary OS commands. The fix involves updating the P4-Lib component to enforce secure deserialization and reject untrusted Java objects sent via the RMI-P4 module. As a temporary measure, SAP recommends restricting network access to the P4 and P4S ports.
Note 3660659 provides an additional layer of protection by blocking vulnerable JDK and third-party classes, preventing their deserialization. This note also includes a workaround for older, unmaintained versions of AS Java, which involves applying the jdk.serialFilter parameter to limit which classes can be deserialized.
What other high-risk vulnerabilities were patched?
Beyond the critical AS Java issues, SAP addressed several other high-risk vulnerabilities.
Note 3630595 fixes a high-risk directory traversal vulnerability in SAP Print Service (SAPSprint). This flaw could allow an attacker to traverse parent directories and compromise system files. The correction improves validation for user-provided path information.
Note 3647332 patches an unrestricted file upload vulnerability in SAP Supplier Relationship Management. This correction enhances checks for MIME types and file extensions to prevent attackers from uploading malicious files like malware.
What other notable security fixes were released?
Other significant patches in the October 2025 update include note 3664466 for a denial of service (DoS) vulnerability in SAP Commerce Cloud. Additionally, note 3658838 addresses a code execution vulnerability in the SAP Data Hub Integration Suite, which arises from insecure versions of Apache CXF libraries that could be exploited to supply malicious RMI/LDAP endpoints.
Frequently Asked Questions (FAQ)
What was the most critical SAP vulnerability in October 2025?
The most critical vulnerabilities were two insecure deserialization flaws in SAP NetWeaver AS Java, addressed by Hot News notes 3634501 and 3660659, which could allow for arbitrary OS command execution.
What is the workaround for the AS Java vulnerability in note 3634501?
The recommended workaround is to restrict network access to the P4 and P4S ports in the AS Java system to prevent unauthorized connections.
How was the directory traversal vulnerability in SAPSprint (note 3630595) fixed?
The correction improves the validation of path information provided by users, which prevents attackers from using directory traversal techniques to access or overwrite system files.