In September 2025, SAP had released a security bulletin [CVE-2025-42958] for the operating system IBM i in SAP Note 3627373. It delivered patches for all supported SAP kernel releases on IBM i (7.22, 7.53, and 7.54). A month later, SAP Host Agent 7.22, patch level 69 was released. It contained code to overcome the vulnerability also for SAP systems that did not have the patches of SAP Note 3627373 applied. When the SAP Host Agent is applied in patch level 69 or higher and an SAP kernel does not have the patch level of SAP Note 3627373, there are cases when
So, before you upgrade the SAP Host Agent to the current level, make sure that your SAP systems all use the kernel patch levels that are documented in SAP Note 3627373. If you cannot apply a stack kernel (SAPEXE.SAR) in the specified level or higher, be aware that you need to apply the ILE patch for the fix, not disp+work. If you follow this rule, you are done and should not see any problems with
What is the background?
Prior to security bulletin [CVE-2025-42958], all
With SAP Host Agent patch level 69, code was introduced to scan the whole system for user profiles that are still owned by R3GROUP. If their naming followed the pattern
With those changes in place, all
If you experience that problem and cannot upgrade to the required ILE patch level immediately, you can solve the problem temporarily by changing the ownership of
This is the command to change the owner back to
CHGOBJOWN OBJ(ADM) OBJTYPE(*USRPRF) NEWOWN( ADM) CUROWNAUT(*REVOKE)
This is the command to create the data area SUPPORT in order to avoid changing the ownership back by SAPILEDX:
CRTDTAARA DTAARA(SAPIND/SUPPORT) TYPE(*CHAR) LEN(1)
Please note that the above is just a workaround. The recommended solution is to apply the ILE patches of SAP Note 3627373 for all affected SAP systems.



