SAP Security Notes, October 2025
Hot news note 3634501 patches a critical insecure deserialization vulnerability in SAP NetWeaver AS Java. The vulnerability can be exploited by attackers to execute arbitrary OS commands. The patch updates the affected P4-Lib component to enforce secure deserialization handling and restrict the acceptance of untrusted Java objects via the RMI-P4 module. As a workaround, network access to the P4 and P4S ports in AS Java should be restricted.
Hot news note 3660659 addresses another insecure deserialization vulnerability in AS Java. The correction in the note blocks vulnerable JDK and third-party classes to prevent exploitation of the vulnerability. A workaround is included in the note for older versions of AS Java that are no longer maintained by SAP. The workaround involves applying the parameter jdk.serialFilter to restrict which classes can be deserialized.
Note 3630595 fixes a high-risk directory traversal vulnerability in SAP Print Service (SAPSprint). The correction in the note improves validation for path information provided by users to prevent attackers traversing parent directories and compromising system files.
Note 3647332 patches an unrestricted file upload vulnerability in SAP Supplier Relationship Management. The note enhances checks for MIME types and file extensions to prevent the uploading of malicious files such as malware.
Other important security fixes include note 3664466 for a denial of service vulnerability in SAP Commerce Cloud and note 3658838 for a code execution vulnerability arising from insecure versions of Apache CXF libraries in SAP Data Hub Integration Suite that can be exploited to supply malicious RMI/LDAP endpoints.