All news with #sap tag

AWS Expands R8i and R8i-flex Instances to Three Regions

⚡ Amazon EC2 R8i and R8i-flex instances are now available in Asia Pacific (Sydney), Canada (Central), and US West (N. California). Powered by AWS-exclusive custom Intel Xeon 6 processors, they offer up to 15% better price-performance and 2.5× the memory bandwidth versus prior Intel-based instances, and about 20% higher performance than R7i. R8i-flex provides common memory-optimized sizes from large to 16xlarge for workloads that underutilize CPU; R8i includes 13 sizes, two bare-metal options and a new 96xlarge, and is SAP-certified at 142,100 aSAPS. Available via Savings Plans, On-Demand, and Spot.

November Patch Tuesday: Critical Windows Kernel Zero-Day

⚠️ Microsoft’s November Patch Tuesday addresses 63 vulnerabilities, including an actively exploited Windows kernel zero-day CVE-2025-62215 that can allow local attackers to escalate to SYSTEM via a complex race-condition double-free. Administrators should prioritize this fix across servers, domain controllers, and desktops, including Windows 10 systems enrolled in the ESU program. Other notable fixes include a Copilot Chat extension RCE (CVE-2025-62222) and a critical Microsoft Graphics Component overflow that could be triggered by specially crafted document uploads.

SAP patches critical hardcoded credentials in SQL Anywhere

🔒 SAP released November security updates addressing a maximum-severity (10.0) hardcoded credentials flaw in the non-GUI component of SQL Anywhere Monitor (CVE-2025-42890) and a critical code-injection issue in SAP Solution Manager (CVE-2025-42887). The embedded credentials could allow attackers to access administrative functions and potentially execute arbitrary code. Administrators should apply updates and follow SAP mitigation guidance promptly.

SAP Cloud ERP (GROW) Now Available in Frankfurt Region

🚀 SAP and AWS have expanded the SAP Cloud ERP on AWS (GROW) offering to the Europe (Frankfurt) region, delivering a full SaaS ERP solution that can be implemented in months rather than years. The service centers on SAP S/4HANA Cloud, Public edition and integrates HR, procurement, sales, finance, supply chain, and manufacturing with SAP Business AI–powered processes. Customers can leverage generative AI via Amazon Bedrock in the SAP generative AI hub and benefit from AWS Graviton processors' energy efficiency.

SAP issues patches for NetWeaver deserialization RCE

🔒 SAP has released security updates addressing 13 vulnerabilities, including a maximum-severity insecure deserialization flaw in NetWeaver AS Java (CVE-2025-42944, CVSS 10.0) that can lead to arbitrary OS command execution via the RMI‑P4 module. The vendor's latest patch adds a JVM-wide serial filter (jdk.serialFilter) to block dangerous classes and packages — a list curated with the ORL and recommended by security firm Onapsis — and complements an earlier remediation issued last month. Other critical fixes include a directory traversal in SAP Print Service (CVE-2025-42937, 9.8) and an unrestricted file upload in SAP Supplier Relationship Management (CVE-2025-42910, 9.0); administrators are urged to apply patches and mitigations immediately.

October 2025 Patch Tuesday: Critical WSUS and Modem Fixes

🔒 Microsoft’s October Patch Tuesday addresses 167 vulnerabilities, including seven rated critical that require immediate CISO attention. Notable fixes include a 9.8 RCE in Windows Server Update Service (WSUS) (CVE-2025-59287) and two Office RCEs exploitable via the Preview Pane. Two legacy Agere modem driver flaws include an in-the-wild zero day and a prior public disclosure, prompting Microsoft to remove ltmdm64.sys from Windows. Administrators should prioritize internet-facing services, kernel-mode drivers, and review WSUS exposure and patch management architecture.

AWS Glue Adds Write Support for Four Application Connectors

🔁 AWS Glue now supports write operations for SAP OData, Adobe Marketo Engage, Salesforce Marketing Cloud, and HubSpot connectors, allowing ETL jobs to create and update records directly in those applications. Announced Oct 3, 2025, the enhancement lets teams sync leads and CRM records, update subscribers and campaign data, and manage contacts, companies, and deals without custom scripts or intermediate systems. This capability simplifies end-to-end ETL pipelines and reduces integration complexity and latency. The feature is available in all Regions where AWS Glue is offered; consult the AWS Glue documentation for supported entities.

Databricks Launches AI-Driven Cybersecurity Lakehouse

🔒 Databricks has introduced Data Intelligence for Cybersecurity, an AI-driven platform that unifies fragmented security telemetry on its Lakehouse architecture to provide real-time, context-rich threat detection. The offering includes Agent Bricks to build governed AI agents, conversational dashboards, and natural-language queries for nontechnical stakeholders. Early adopters such as Arctic Wolf, Palo Alto Networks, and SAP report sharper detection, lower costs, and faster operations, while Databricks expands integrations across a broad partner ecosystem to challenge established SIEM and analytics vendors.

EU Opens Antitrust Probe into SAP ERP Support Practices

⚖️ The European Commission has launched a formal investigation into whether SAP engaged in anti-competitive conduct in aftermarket services for its on‑premise ERP software. The probe focuses on four practices: mandatory uniform support across products, blocking termination of unused licenses, extending non‑terminable initial support terms, and charging reinstatement fees equal to prior amounts. The Commission says these practices could limit competition from third‑party support providers and amount to unfair trading conditions. SAP says its policies follow industry standards and expects no significant financial impact.

Google Cloud and SAP: Unified Data, AI Agents, and HANA

🚀 Google Cloud and SAP announced tighter integration to unify enterprise data and accelerate intelligent automation. SAP Business Data Cloud now connects to BigQuery via Datasphere, enabling bidirectional replication and AI-ready analytics. Procurement is simplified on the Google Cloud Marketplace with SAP BTP. New agent tooling—Agentspace, the Agent Development Kit, A2A and MCP standards—and expanded M4 memory-optimized VMs certified for SAP HANA aim to speed deployments, improve data consistency, and enable autonomous process automation.

SAP Patches Critical NetWeaver Flaws, Urges Updates

🔒 SAP on Tuesday released security updates addressing multiple vulnerabilities, including three critical flaws in SAP NetWeaver that could enable remote code execution and arbitrary file uploads (notably CVE-2025-42944, CVE-2025-42922 and CVE-2025-42958). The company also fixed a high-severity input-validation issue in SAP S/4HANA (CVE-2025-42916). Security researchers recommend immediate patching and temporary mitigations such as P4 port filtering to limit exposure.

SAP fixes critical NetWeaver remote command execution flaw

🔒 SAP released patches in its September security bulletin addressing 21 vulnerabilities, including three critical issues affecting SAP NetWeaver. The most severe, CVE-2025-42944 (10.0), is an insecure deserialization bug in the RMI-P4 module that can allow unauthenticated attackers to execute arbitrary OS commands by sending a malicious Java object to an open port. Two other critical flaws include an insecure file operations bug in Deploy Web Service (CVE-2025-42922, 9.9) that can allow file uploads by non-admin authenticated users, and a missing authentication check (CVE-2025-42958, 9.1) that exposes high-privilege actions and sensitive data. Administrators are advised to apply SAP’s patches and mitigation guidance available via SAP notes.

Critical Code-Injection Vulnerability in SAP S/4HANA

⚠ Security teams must urgently patch SAP S/4HANA after a critical code-injection flaw, CVE-2025-42957 (CVSS 9.9), was fixed by the vendor on August 12 and is now being exploited in the wild. The vulnerability allows a low-privilege user to inject arbitrary ABAP via an RFC-exposed function module, bypassing authorization checks and enabling admin-level control and potential OS interference. No workaround exists; timely patching across complex SAP landscapes is essential to prevent data theft, credential harvesting, backdoors, ransomware and operational disruption.

Critical S/4HANA Code Injection Flaw Actively Exploited

⚠️ SAP released a patch for a critical S/4HANA vulnerability, CVE-2025-42957 (CVSS 9.9), after researchers observed a live exploit that allows low-privilege ABAP code injection and full system takeover. The flaw affects all S/4HANA deployments, including private cloud and on-premises, and can be weaponized easily because ABAP source is publicly viewable. Administrators should apply the update immediately and review account privileges, default credentials, encryption settings, and monitoring to limit risks such as data tampering, account creation with SAP_ALL, and password-hash exfiltration.

Critical SAP S/4HANA Code Injection Flaw Actively Exploited

⚠️ A critical ABAP code injection flaw, tracked as CVE-2025-42957, in an RFC-exposed function of SAP S/4HANA is being exploited in the wild to breach exposed servers. The bug allows low-privileged authenticated users to inject arbitrary code, bypass authorization checks, and take full control of affected systems. SAP issued a fix on August 11, 2025 (CVSS 9.9), but SecurityBridge reports active, limited exploitation and urges immediate patching.

Critical SAP S/4HANA Command Injection (CVE-2025-42957)

⚠️ SAP patched a critical command injection in SAP S/4HANA tracked as CVE-2025-42957 (CVSS 9.9) that allows low-privileged users to inject arbitrary ABAP via an RFC-exposed function module, bypassing authorization checks. SecurityBridge and NVD report active exploitation affecting both on-premise and Private Cloud editions, with potential for full system compromise. Organizations are urged to apply SAP's monthly fixes immediately, monitor for suspicious RFC calls or new admin accounts, implement network segmentation and backups, adopt SAP UCON to restrict RFC usage, and review access to authorization object S_DMIS activity 02.

Critical SAP S/4HANA Code Injection Exploit Active

⚠️ A critical code injection vulnerability in SAP S/4HANA (CVE-2025-42957, CVSS 9.9) is being actively exploited in the wild, researchers warn. The flaw allows a low-privileged user to inject ABAP code and gain full system and operating system access across all S/4HANA releases. SecurityBridge confirmed practical abuse and noted the exploit was straightforward to develop because ABAP code is openly viewable. Organizations that have not yet applied the August 11 patch should install it immediately to prevent complete data compromise and unauthorized administrative access.

Amazon EC2 U7i-12TB High Memory Instances in Seoul

🚀 Amazon EC2 High Memory U7i instances (u7i-12tb.224xlarge) with 12TiB of DDR5 memory are now available in the AWS Asia Pacific (Seoul) Region. Powered by custom fourth-generation Intel Xeon Scalable (Sapphire Rapids) processors, the U7i-12tb offers 896 vCPUs, ENA Express support, and up to 100 Gbps for both EBS and network throughput. These instances are designed for mission-critical in-memory databases and large transactional workloads such as SAP HANA, Oracle, and SQL Server, enabling faster data loading, backups, and higher transaction processing throughput.

AWS launches M8i and M8i-flex EC2 instances, Xeon 6

🚀 AWS has made the new M8i and M8i-flex EC2 instances generally available, powered by custom Intel Xeon 6 processors exclusive to AWS. The instances offer up to 15% better price-performance and 2.5x the memory bandwidth versus previous Intel-based generations, and AWS reports up to 20% higher performance compared with M7i and M7i-flex with larger gains for specific workloads. Initial availability includes US East (N. Virginia), US East (Ohio), US West (Oregon), and Europe (Spain).