SAP Security Notes - 10/25 - SecurityBridge Cloud

We've created the first of its kind, SecurityBridge Cloud Platform, designed to prioritize SAP patches, updates, and remediation strategies that help prevent disruptions to critical business systems. Our security advisories provide SAP users with valuable insights into the security and business implications of operating SAP.

The user interface is designed to be as intuitive as possible, but we’d love to hear your feedback and suggestions.
We hope you enjoy using it!

× Yikes, there is work to do!
This time we found critical correction advisiories. We count 23 and the highest CVSS score is 10.0.

Severity

SAP© Security advisories 23

System Types

Affected SAP© system types

_{Related note}
3634501

_CVSS
10.0

_{Affected system
type}
Java

_Patchday
2025-10

_{Released
on}
2025/09/09

Description
[CVE-2025-42944] Insecure Deserialization vulnerability in SAP Netweaver (RMI-P4)

Security Advisory

_{Related note}
3643865

_CVSS
9.9

_{Affected system
type}
Java

_Patchday
2025-10

_{Released
on}
2025/09/09

Description
[CVE-2025-42922] Insecure File Operations vulnerability in SAP NetWeaver AS Java (Deploy Web Service)

Security Advisory

_{Related note}
3630595

_CVSS
9.8

_{Affected system
type}
SAPSprint

_Patchday
2025-10

_{Released
on}
2025/10/14

Description
[CVE-2025-42937] Directory Traversal vulnerability in SAP Print Service

Security Advisory

_{Related note}
3302162

_CVSS
9.6

_{Affected system
type}
ABAP

_Patchday
2025-10

_{Released
on}
2023/03/14

Description
[CVE-2023-27500] Directory Traversal vulnerability in SAP NetWeaver AS for ABAP and ABAP Platform

Security Advisory

_{Related note}
3647332

_CVSS
9.0

_{Affected system
type}
ABAP

_Patchday
2025-10

_{Released
on}
2025/10/14

Description
[CVE-2025-42910] Unrestricted File Upload Vulnerability in SAP Supplier Relationship Management

Security Advisory

_{Related note}
3664466

_CVSS
7.5

_{Affected system
type}
SAP Commerce Cloud

_Patchday
2025-10

_{Released
on}
2025/10/14

Description
[CVE-2025-5115] Denial of service (DOS) in SAP Commerce Cloud (Search and Navigation)

Security Advisory

_{Related note}
3658838

_CVSS
7.1

_{Affected system
type}
SAP Data Hub

_Patchday
2025-10

_{Released
on}
2025/10/14

Description
[CVE-2025-48913]Security Misconfiguration vulnerability in SAP Data Hub Integration Suite

Security Advisory

_{Related note}
3635587

_CVSS
6.5

_{Affected system
type}
ABAP

_Patchday
2025-10

_{Released
on}
2025/09/09

Description
[CVE-2025-42912] Missing Authorization check in SAP HCM (My Timesheet Fiori 2.0 application)

Security Advisory

_{Related note}
3643832

_CVSS
6.5

_{Affected system
type}
ABAP

_Patchday
2025-10

_{Released
on}
2025/09/09

Description
[CVE-2025-42917] Missing Authorization check in SAP HCM (Approve Timesheets Fiori 2.0 application)

Security Advisory

_{Related note}
3503138

_CVSS
6.0

_{Affected system
type}
SAP GUI / Frontend

_Patchday
2025-10

_{Released
on}
2025/01/14

Description
[CVE-2025-0059] Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP (applications based on SAP GUI for HTML)

Security Advisory

_{Related note}
3652788

_CVSS
5.4

_{Affected system
type}
ABAP

_Patchday
2025-10

_{Released
on}
2025/10/14

Description
[CVE-2025-42901] Code Injection vulnerability in SAP Application Server for ABAP (BAPI Browser)

Security Advisory

_{Related note}
3441087

_CVSS
5.4

_{Affected system
type}
ABAP

_Patchday
2025-10

_{Released
on}
2025/06/10

Description
[CVE-2025-42984] Missing Authorization check in SAP S/4HANA (Manage Central Purchase Contract application)

Security Advisory

_{Related note}
3409013

_CVSS
5.4

_{Affected system
type}
ABAP

_Patchday
2025-10

_{Released
on}
2025/09/09

Description
[CVE-2025-42915] Missing Authorization Check in Fiori app (Manage Payment Blocks)

Security Advisory

_{Related note}
3642021

_CVSS
5.4

_{Affected system
type}
Kernel

_Patchday
2025-10

_{Released
on}
2025/10/14

Description
[CVE-2025-42908] Cross-Site Request Forgery (CSRF) vulnerability in SAP NetWeaver Application Server for ABAP

Security Advisory

_{Related note}
3634724

_CVSS
5.3

_{Affected system
type}
SAP Commerce Cloud

_Patchday
2025-10

_{Released
on}
2025/10/14

Description
[CVE-2025-42906] Directory Traversal vulnerability in SAP Commerce Cloud

Security Advisory

_{Related note}
3627308

_CVSS
5.3

_{Affected system
type}
Kernel

_Patchday
2025-10

_{Released
on}
2025/10/14

Description
[CVE-2025-42902] Memory Corruption vulnerability in SAP Netweaver AS ABAP and ABAP Platform

Security Advisory

_{Related note}
3625683

_CVSS
4.3

_{Affected system
type}
ABAP

_Patchday
2025-10

_{Released
on}
2025/10/14

Description
[CVE-2025-42939] Missing Authorization Check in SAP S/4HANA (Manage Processing Rules - For Bank Statements)

Security Advisory

_{Related note}
3540622

_CVSS
4.3

_{Affected system
type}
BI/BO platform

_Patchday
2025-10

_{Released
on}
2025/09/23

Description
[CVE-2025-42907] Server-Side Request Forgery in SAP BI Platform

Security Advisory

_{Related note}
3577131

_CVSS
4.3

_{Affected system
type}
ABAP

_Patchday
2025-10

_{Released
on}
2025/04/08

Description
[CVE-2025-31331] Authorization Bypass vulnerability in SAP NetWeaver

Security Advisory

_{Related note}
3656781

_CVSS
4.3

_{Affected system
type}
ABAP

_Patchday
2025-10

_{Released
on}
2025/10/14

Description
[CVE-2025-42903] User Enumeration and Sensitive Data Exposure via RFC Function in SAP Financial Service Claims Management

Security Advisory

_{Related note}
3623504

_CVSS
4.3

_{Affected system
type}
ABAP

_Patchday
2025-10

_{Released
on}
2025/09/09

Description
[CVE-2025-42918] Missing Authorization check in SAP NetWeaver Application Server for ABAP (Background Processing)

Security Advisory

_{Related note}
3617142

_CVSS
3.5

_{Affected system
type}
BI/BO platform

_Patchday
2025-10

_{Released
on}
2025/10/14

Description
[CVE-2025-31672] Deserialization Vulnerability in SAP BusinessObjects (Web Intelligence and Platform Search)

Security Advisory

_{Related note}
3643871

_CVSS
3.0

_{Affected system
type}
ABAP

_Patchday
2025-10

_{Released
on}
2025/10/14

Description
[CVE-2025-42909] Security Misconfiguration vulnerability in SAP Cloud Appliance Library Appliances

Security Advisory

Notifications

Severity

SAP© Security advisories 23

System Types

Affected SAP© system types

Related note 3634501

CVSS 10.0

Affected system type Java

Patchday2025-10

Released on2025/09/09

Related note 3643865

CVSS 9.9

Affected system type Java

Patchday2025-10

Released on2025/09/09

Related note 3630595

CVSS 9.8

Affected system type SAPSprint

Patchday2025-10

Released on2025/10/14

Related note 3302162

CVSS 9.6

Affected system type ABAP

Patchday2025-10

Released on2023/03/14

Related note 3647332

CVSS 9.0

Affected system type ABAP

Patchday2025-10

Released on2025/10/14

Related note 3664466

CVSS 7.5

Affected system type SAP Commerce Cloud

Patchday2025-10

Released on2025/10/14

Related note 3658838

CVSS 7.1

Affected system type SAP Data Hub

Patchday2025-10

Released on2025/10/14

Related note 3635587

CVSS 6.5

Affected system type ABAP

Patchday2025-10

Released on2025/09/09

Related note 3643832

CVSS 6.5

Affected system type ABAP

Patchday2025-10

Released on2025/09/09

Related note 3503138

CVSS 6.0

Affected system type SAP GUI / Frontend

Patchday2025-10

Released on2025/01/14

Related note 3652788

CVSS 5.4

Affected system type ABAP

Patchday2025-10

Released on2025/10/14

Related note 3441087

CVSS 5.4

Affected system type ABAP

Patchday2025-10

Released on2025/06/10

Related note 3409013

CVSS 5.4

Affected system type ABAP

Patchday2025-10

Released on2025/09/09

Related note 3642021

CVSS 5.4

Affected system type Kernel

Patchday2025-10

Released on2025/10/14

Related note 3634724

CVSS 5.3

Affected system type SAP Commerce Cloud

Patchday2025-10

Released on2025/10/14

_{Related note}
3634501

_CVSS
10.0

_{Affected system
type}
Java

_Patchday
2025-10

_{Released
on}
2025/09/09

_{Related note}
3643865

_CVSS
9.9

_{Affected system
type}
Java

_Patchday
2025-10

_{Released
on}
2025/09/09

_{Related note}
3630595

_CVSS
9.8

_{Affected system
type}
SAPSprint

_Patchday
2025-10

_{Released
on}
2025/10/14

_{Related note}
3302162

_CVSS
9.6

_{Affected system
type}
ABAP

_Patchday
2025-10

_{Released
on}
2023/03/14

_{Related note}
3647332

_CVSS
9.0

_{Affected system
type}
ABAP

_Patchday
2025-10

_{Released
on}
2025/10/14

_{Related note}
3664466

_CVSS
7.5

_{Affected system
type}
SAP Commerce Cloud

_Patchday
2025-10

_{Released
on}
2025/10/14

_{Related note}
3658838

_CVSS
7.1

_{Affected system
type}
SAP Data Hub

_Patchday
2025-10

_{Released
on}
2025/10/14

_{Related note}
3635587

_CVSS
6.5

_{Affected system
type}
ABAP

_Patchday
2025-10

_{Released
on}
2025/09/09

_{Related note}
3643832

_CVSS
6.5

_{Affected system
type}
ABAP

_Patchday
2025-10

_{Released
on}
2025/09/09

_{Related note}
3503138

_CVSS
6.0

_{Affected system
type}
SAP GUI / Frontend

_Patchday
2025-10

_{Released
on}
2025/01/14

_{Related note}
3652788

_CVSS
5.4

_{Affected system
type}
ABAP

_Patchday
2025-10

_{Released
on}
2025/10/14

_{Related note}
3441087

_CVSS
5.4

_{Affected system
type}
ABAP

_Patchday
2025-10

_{Released
on}
2025/06/10

_{Related note}
3409013

_CVSS
5.4

_{Affected system
type}
ABAP

_Patchday
2025-10

_{Released
on}
2025/09/09

_{Related note}
3642021

_CVSS
5.4

_{Affected system
type}
Kernel

_Patchday
2025-10

_{Released
on}
2025/10/14

_{Related note}
3634724

_CVSS
5.3

_{Affected system
type}
SAP Commerce Cloud

_Patchday
2025-10

_{Released
on}
2025/10/14

_{Related note}
3627308

_CVSS
5.3

_{Affected system
type}
Kernel

_Patchday
2025-10

_{Released
on}
2025/10/14