Severity: Critical.

Description: SAS has confirmed that instances of SAS^® Web Application Server and SAS^® Environment Manager in the default SAS^® 9.4 configuration are not affected by CVE-2025-24813. The default Tomcat settings are not configured to allow this CVE to be exploited. 

Potential Impact: No action by customers is required.

Solution: Although the default configuration of SAS 9.4 is not impacted by CVE-2025-24813, SAS plans to release a hot fix to upgrade SAS Web Application Server on SAS^® 9.4M8 (TS1M8) to Apache Tomcat 9.0.99 or higher. This hot fix is expected to be available by the end of June 2025 and can be accessed via SAS Note 65934, "Hot fixes that are available to update Apache HTTP Server (httpd), OpenSSL, and Apache Tomcat versions in SAS^® 9.4 and SAS^® Viya^® 3.5."