What change-freeze windows should we avoid when enabling new SAP S/4HANA features this month?

Here is a four-step process:

• Step 1: Identify and prioritize notes

The SAP Support Portal is the primary source for security notes, released monthly on 'Patch Day' (the second Tuesday of each month).

• Step 2: Implement and test custom code fixes

To minimize business disruption, apply fixes in a non-production environment and test them thoroughly before deployment to production.

• Step 3: Deploy to production with cloud transport management

Use the built-in transport and deployment tools on BTP to promote your tested changes to production.

• Step 4: Monitor and verify post-deployment

After the patch is deployed, monitor system logs and health to ensure stability and verify the fix is effective.

To prove that your SAP S/4HANA system has been patched this month, auditors will require evidence that aligns with a complete and controlled patch management lifecycle. This includes documentation and logs from the identification, testing, application, and verification phases of patching.

Key strategies for scheduling transports safely

• Establish a release calendar and blackout periods
• Implement robust change management and approval workflows
• Analyze transport dependencies before import
• Bundle related transports for simultaneous import
• Restrict and monitor production access
• Coordinate with business stakeholders

Exploitation attempts related to the September 2025 SAP security notes on S/4HANA can be detected by a SOC using a combination of SAP native logs and security tools integrated with a Security Information and Event Management (SIEM) system. The most critical vulnerability from the September 2025 notes, CVE-2025-42957, involves arbitrary ABAP code injection, which allows a low-privileged user to gain full system control.

Validating custom code after kernel and ICM patches in SAP S/4HANA is primarily a quality assurance task, rather than an automatic process triggered by tools. The impact on ABAP custom code from these technical components is usually minimal, especially for ICM patches, but careful testing is still necessary. You can validate compatibility by following a structured testing and analysis process.