SAS 9.4 M7 & M8 Security Update – July 2025

By Carrie Foreman

On 7 July 2025, SAS released a set of critical security updates for its widely adopted 9.4 M7 and M8 platforms, targeting vulnerabilities across both third-party components and the core SAS infrastructure. If your organisation relies on these environments, this update is a timely reminder of SAS’s continued commitment to helping you safeguard mission-critical analytics against today’s evolving threat landscape.

What’s new in the July 2025 Security Updates

SAS 9.4 M8 (TS1M8)
If you’re running SAS 9.4 M8, this update is one you won’t want to overlook. It addresses more than 30 known vulnerabilities, including several high-severity CVEs that could pose serious risks to your environment. Key fixes include:

• CVE-2025-23184 & CVE-2025-24970 – Mitigating remote code execution threats in embedded libraries.
• CVE-2024-38808 to CVE-2024-38828 – Resolving a cluster of issues in XML parsing and authentication modules.
• CVE-2023-52428 – Fixing a privilege escalation flaw in the metadata server.

These patches are cumulative, so applying the latest update will bring your system fully up to date. SAS strongly recommends deploying this update as soon as possible to reduce exposure and maintain compliance, especially if your platform supports sensitive or regulated workloads.

SAS 9.4 M7

If your organisation is still running SAS 9.4 M7, this update deserves your attention. While smaller in scope than M8, it addresses several high-impact vulnerabilities, especially in legacy components that remain critical across regulated industries. Key fixes include:

• CVE-2023-1436 – Resolves a denial-of-service risk in SAS/ACCESS engines.
• CVE-2022-40149 – Patches a flaw in third-party encryption libraries.

With Standard Support for M7 ending in September 2025, this may be one of the final opportunities to apply essential security fixes under full support. If you’re relying on M7 for production use cases, now’s the time to patch and begin planning your upgrade to ensure continued protection and compliance.

Support Timeline Reminder

• SAS 9.4 M7: Standard Support ends September 2025
• SAS 9.4 M8: Supported through January 2028
• SAS 9.4 M9: Released June 2025, supported until 2030

If your organisation is still operating on SAS 9.4 M7 or an earlier release, now is the time to start planning your upgrade to M8 or M9. Transitioning ensures you stay protected with ongoing security patches and retain access to full technical support, critical for maintaining stability in your analytics environment and day to day workloads.

Final Thoughts

Security isn’t a one-time task, it’s an ongoing commitment. These updates highlight just how vital proactive maintenance is in keeping your analytics environment resilient and compliant. If your SAS platform plays a role in mission-critical operations, staying current with patches isn’t optional, it’s essential.

If you’re unsure about your upgrade path or need support applying these updates, the team at Katalyze Data are here to help you navigate the next steps with confidence

Whether you’re patching today or planning for tomorrow, staying ahead of vulnerabilities is key to keeping your analytics environment secure, stable, and supported. Let Katalyze Data help you take the next step with clarity and confidence.