SAP Security Notes, September 2025
Hot news note 3634501 patches a critical insecure deserialization vulnerability in the Internet Communication Manager (ICM) of SAP NetWeaver AS Java. The vulnerability can be exploited to perform arbitrary OS commands that could lead to the full compromise of AS Java systems. As a result, the vulnerability has a CVSS rating of 10/10. Since the vulnerability impacts the proprietary SAP P4 protocol, the patch provided in note 3634501 enforces secure deserialization and restricts the acceptance of untrusted Java objects via the RMI-P4 module. Workarounds are also provided in the note to bind the P4 listening port to specific authorized hosts. This is performed using the HOST field for profile parameter icm/server_port_<xx>. Restricting client connections to the ICM are also recommend using an Access Control List (ACL) also specified using the same parameter. The path for the ACL file should be defined using the ACLFILE option for icm/server_port_<xx>. Entries in the ACL file should follow the following syntax:
<permit | deny> <ip-address[/mask]> [tracelevel] [# comment]
The following deny entry is recommend as the last rule in the ACL.
deny 0.0.0.0/0 # deny the rest
Hot news note 3643865 removes an unrestricted file upload vulnerability in AS Java that could be exploited to execute malicious code in files. The vulnerability impacts all versions of AS Java. However, the note only provides a fix for specific support pack levels of version 7.50. Earlier versions are no longer maintained by SAP. For earlier versions, Knowledge Based Article (KBA) 3646072 includes a workaround for the vulnerability that involves disabling the vulnerable Deploy Web Service component by adding a startup filter.
Hot News note 3627373 provides a solution for a missing authentication check in SAP NetWeaver installations using IBM i operating systems. Installations using other operating systems are not effected by the vulnerability. SAP System IDs (SIDs) are impacted if they are sharing the same logical partition (LPAR) with other SIDs. Therefore, a possible workaround is to partition SIDs in separate LPARs. This will prevent the sharing of server resources such as CPU, memory and storage across multiple virtualized environments.
Notes 3635475 and 3633002 patch high-priority input validation vulnerabilities in SAP S/4HANA and SAP Landscape Transformation. The vulnerabilities could be exploited to delete the contents of database tables that are not protected by authorization groups.
Other high priority notes include note 3581811 for a directory traversal vulnerability in SAP NetWeaver and 3642961 for a information disclosure vulnerability in SAP Business One.