SAP stresses the importance of applying these patches promptly, as threat actors have targeted SAP vulnerabilities, although no public exploitation has been reported to date.

Critical vulnerabilities such as directory traversal in SAP Print Service (CVE-2025-42937) and malicious file upload in SAP SRM (CVE-2025-42910) have been patched to prevent potential system compromise.

SAP has also updated previous patches for CVE-2025-42944 to include new hardening measures, like JVM-wide filters, to better mitigate deserialization risks.

Additional security notes addressed medium- and low-severity vulnerabilities across various SAP products, including NetWeaver, ABAP, S/4HANA, and BusinessObjects.

SAP has released a critical security patch addressing CVE-2025-42944, a severe deserialization flaw in NetWeaver AS Java with a CVSS score of 10, which could enable arbitrary code execution. Additional protections, such as JVM-wide filters, have been implemented to mitigate deserialization risks.

In addition to the NetWeaver fix, SAP issued updates for products including SAP Application Server for ABAP, S/4HANA, Business Objects, and Cloud Appliance Library, emphasizing the need for prompt application by IT security teams.

A total of 16 security patches were released in October 2025, addressing critical vulnerabilities across SAP's enterprise software, including NetWeaver, Print Service, and SRM, with two classified as critical and two as high risk.

High-severity vulnerabilities addressed include a DoS issue in SAP Commerce Cloud (CVE-2025-5115) and a security misconfiguration in Data Hub Integration Suite (CVE-2025-48913), both requiring urgent attention.