SAP’s October 2025 Security Patch Day delivered crucial updates addressing 13 new vulnerabilities and revising four previous security notes, with several critical flaws affecting SAP NetWeaver. The most severe among them, CVE-2025-42944, is an insecure deserialization vulnerability in NetWeaver AS Java’s RMI-P4 module, high. This flaw allows unauthenticated remote attackers to gain full system control by sending malicious payloads to open ports (typically 50004 or 50014), exploiting how serialized Java objects are handled without proper validation. Despite an initial fix in September, SAP reinforced the patch with additional safeguards in October after continued risk assessments, as exploitation could lead to data breaches, ransomware, or complete system takeover.

The patch release also includes updates to notes 3660659 and 3634501, introducing a JVM-level serial filter (jdk.serialFilter) to block unsafe deserialization. This measure separates mandatory and optional class lists to prevent gadget-chain-based code execution. Researchers collaborated with SAP on this issue, highlighting its potential to compromise confidentiality, integrity, and availability across interconnected SAP systems. Compounding this risk is CVE-2025-31331, an authorization bypass in older NetWeaver versions (SAP_ABA 700–75I), which enables low-privileged users to access restricted functions and possibly escalate privileges, while CVE-2025-42901 in the BAPI Browser allows code injection by authenticated users, exposing sensitive data. Together, these issues underscore a trend of persistent access control weaknesses that attackers could chain with deserialization exploits for deeper intrusions.

Beyond NetWeaver, several high-severity vulnerabilities threaten other SAP components. CVE-2025-42937 impacts SAP Print Service, allowing unauthenticated directory traversal and file overwrites. CVE-2025-42910 (CVSS 9.0) affects Supplier Relationship Management, permitting unrestricted file uploads that can lead to system compromise. Additional flaws include CVE-2025-5115 in SAP Commerce Cloud causing denial of service, CVE-2025-48913 in Data Hub Integration Suite exposing sensitive data, and CVE-2025-42984 in S/4HANA involving missing authorization checks in procurement modules. Medium and low-severity flaws, such as CVE-2025-42902 (memory corruption in ticket verification) and CVE-2025-42909 (minor deserialization issue in Cloud Appliance Library), further illustrate the breadth of SAP’s October patch coverage across its ecosystem.

Security experts warn that SAP environments remain high-value targets, as demonstrated by increasing exploitation of enterprise platforms for espionage, financial theft, and ransomware campaigns. Given the potential for remote unauthenticated attacks, particularly those leveraging NetWeaver’s RMI-P4 deserialization flaw, organizations are strongly urged to apply all patches immediately. SAP customers should access the SAP Support Portal to prioritize updates, implement jdk.serialFilter protections, restrict access to exposed ports, and reinforce multi-layered defenses across critical applications. Prompt remediation is essential to prevent threat actors from exploiting these flaws to compromise mission-critical SAP systems.