Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN694 _____________________________________________________________________ DATE : 15/10/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running SAP products. ===================================================================== https://support.sap.com/en/my-support/knowledge-base/security-notes-news/october-2025.html _____________________________________________________________________ SAP Security Patch Day - October 2025 This post shares the information on security notes that remediate vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on priority to protect their SAP landscape. On 14th of October 2025, SAP security patch day saw the release of 13 new security notes. Further, there were 4 updates to previously released security notes. Note# Title Priority CVSS 3660659 [CVE-2025-42944] Security Hardening for Insecure Deserialization in SAP NetWeaver AS Java Product - SAP NetWeaver AS Java Version - SERVERCORE 7.50 Critical 10.0 3634501 Update to Security Note released on September 2025 Patch Day: [CVE-2025-42944] Insecure Deserialization vulnerability in SAP Netweaver (RMI-P4) Product - SAP NetWeaver AS Java Version - SERVERCORE 7.50 Critical 10.0 3630595 [CVE-2025-42937] Directory Traversal vulnerability in SAP Print Service Product - SAP Print Service Versions - SAPSPRINT 8.00, 8.10 Critical 9.8 3647332 [CVE-2025-42910] Unrestricted File Upload Vulnerability in SAP Supplier Relationship Management Product - SAP Supplier Relationship Management Versions - SRMNXP01 100, 150 Critical 9.0 3664466 [CVE-2025-5115] Denial of service (DOS) in SAP Commerce Cloud (Search and Navigation) Product - SAP Commerce Cloud Versions - HY_COM 2205, COM_CLOUD 2211, 2211-JDK21 High 7.5 3658838 [CVE-2025-48913] Security Misconfiguration vulnerability in SAP Data Hub Integration Suite Product - SAP Data Hub Integration Suite Version - CX_DATAHUB_INT_PACK 2205 High 7.1 3503138 Update to Security Note released on January 2025 Patch Day: [CVE-2025-0059] Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML) Product- SAP NetWeaver Application Server ABAP Versions – KRNL64UC 7.53, KERNEL 7.53, 7.54, 7.77, 7.89, 7.93, 9.12, 9.14 Medium 6.0 3652788 [CVE-2025-42901] Code Injection vulnerability in SAP Application Server for ABAP (BAPI Browser) Product - SAP Application Server for ABAP Versions - SAP_BASIS 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 816 Medium 5.4 3642021 [CVE-2025-42908] Cross-Site Request Forgery (CSRF) vulnerability in SAP NetWeaver Application Server for ABAP Product - SAP NetWeaver Application Server for ABAP Versions - KRNL64UC 7.53, KERNEL 7.53, 7.54, 7.77, 7.89, 7.93, 9.16 Medium 5.4 3441087 Update to Security Note released on June 2025 Patch Day: [CVE-2025-42984] Missing Authorization check in SAP S/4HANA (Manage Central Purchase Contract application) Product - SAP S/4HANA Versions - S4CORE 106, 107, 108 Medium 5.4 3634724 [CVE-2025-42906] Directory Traversal vulnerability in SAP Commerce Cloud Product - SAP Commerce Cloud Version - COM_CLOUD 2211 Medium 5.3 3627308 [CVE-2025-42902] Memory Corruption vulnerability in SAP Netweaver AS ABAP and ABAP Platform Product - SAP NetWeaver AS ABAP and ABAP Platform Versions - KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 9.14, 9.15, 9.16 Medium 5.3 3625683 [CVE-2025-42939] Missing Authorization Check in SAP S/4HANA (Manage Processing Rules - For Bank Statements) Product - SAP S/4HANA Versions - S4CORE 104, 105, 106, 107, 108, 109 Medium 4.3 3577131 Update to Security Note released on April 2025 Patch Day: [CVE-2025-31331] Authorization Bypass vulnerability in SAP NetWeaver Product - SAP NetWeaver Versions - SAP_ABA 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75D, 75E, 75F, 75G, 75H, 75I Medium 4.3 3656781 [CVE-2025-42903] User Enumeration and Sensitive Data Exposure via RFC Function in SAP Financial Service Claims Management Product - SAP Financial Service Claims Management Versions - INSURANCE 803, 804, 805, 806, S4CEXT 107, 108, 109 Medium 4.3 3617142 [CVE-2025-31672] Deserialization Vulnerability in SAP BusinessObjects (Web Intelligence and Platform Search) Product - SAP BusinessObjects Versions - ENTERPRISE 430, 2025, 2027 Low 3.5 3643871 [CVE-2025-42909] Security Misconfiguration vulnerability in SAP Cloud Appliance Library Appliances Product - SAP Cloud Appliance Library Appliances Version - TITANIUM_WEBAPP 4.0 Low 3.0 To know more about the security researchers and research companies who have contributed for security patches of this month, visit here. SAP is committed to delivering trustworthy products and cloud services. Secure configuration is essential to ensuring secure operation and data integrity. We have therefore documented security recommendations that are consolidated in this document to help you configure the best security for your SAP portfolio. Archived blogs from previous years are available here. If you have any comments or feedback about this post, you can write to secure@sap.com. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================