Business software maker SAP on Tuesday announced the release of 16 new and updated patch notes as part of its monthly rollout, including three fresh notes that address critical-severity vulnerabilities.
One of the patches released on October 2025 Security Patch Day resolves once again CVE-2025-42944 (CVSS score of 10/10), described as an insecure deserialization flaw in NetWeaver AS Java.
According to enterprise software security firm Onapsis, the security note adds fresh protections to insecure deserialization flaws resolved in NetWeaver over the past months, including CVE-2025-42944, which was initially patched in September 2025.
In fact, SAP also updated the September 2025 security note dealing with CVE-2025-42944, to add a reference to the newly released hardening recommendations.
“The additional layer of protection is based on implementing a JVM-wide filter (jdk.serialFilter) that prevents dedicated classes from being deserialized,” says Onapsis.
Another critical-severity issue resolved on Tuesday is CVE-2025-42937 (CVSS score of 9.8), a directory traversal bug in Print Service, which could allow unauthenticated attackers to overwrite system files.
SAP also rolled out patches for CVE-2025-42910 (CVSS score of 9.0), an unrestricted file upload defect in Supplier Relationship Management (SRM) that could allow authenticated attackers to upload arbitrary files, including executables containing malware.
This month, SAP published two security notes addressing high-severity vulnerabilities. The first resolves CVE-2025-5115, a denial-of-service (DoS) bug in Commerce Cloud, while the second fixes CVE-2025-48913, a security misconfiguration flaw in Data Hub Integration Suite.
The remaining 10 new and updated security notes resolve medium- and low-severity defects in NetWeaver, ABAP, Commerce Cloud, S/4HANA, Financial Service Claims Management, BusinessObjects, and Cloud Appliance.
After the scheduled monthly patch day, SAP updated its September 2025 advisory with one new and seven updated security notes, including three dealing with critical-severity vulnerabilities.
SAP makes no mention of any of these issues being exploited in the wild, but users are advised to apply the patches and mitigations as soon as possible. Threat actors are known to have targeted SAP bugs in their attacks.
Related: New Exploit Poses Threat to SAP NetWeaver Instances
Related: Critical Vulnerability Patched in SAP NetWeaver
Related: Oracle Patches EBS Vulnerability Allowing Access to Sensitive Data
Related: Juniper Networks Patches Critical Junos Space Vulnerabilities
