Oct 15, 2025Ravie Lakshmanan Enterprise Software program / Vulnerability
SAP has rolled out safety fixes for 13 new safety points, together with further hardening for a maximum-severity bug in SAP NetWeaver AS Java that would lead to arbitrary command execution.
The vulnerability, tracked as CVE-2025-42944, carries a CVSS rating of 10.0. It has been described as a case of insecure deserialization.
“As a consequence of a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker might exploit the system via the RMI-P4 module by submitting a malicious payload to an open port,” based on an outline of the flag in CVE.org.
“The deserialization of such untrusted Java objects might result in arbitrary OS command execution, posing a excessive influence to the appliance’s confidentiality, integrity, and availability.”
Whereas the vulnerability was first addressed by SAP final month, safety firm Onapsis stated the newest repair offers additional safeguards to safe in opposition to the chance posed by deserialization.
“The extra layer of safety relies on implementing a JVM-wide filter (jdk.serialFilter) that forestalls devoted courses from being deserialized,” it famous. “The listing of advisable courses and packages to dam was outlined in collaboration with the ORL and is split into a compulsory part and an non-compulsory part.”
One other essential vulnerability of word is CVE-2025-42937 (CVSS rating: 9.8), a listing traversal flaw in SAP Print Service that arises on account of inadequate path validation, permitting an unauthenticated attacker to succeed in the mum or dad listing and overwrite system information.
The third essential flaw patched by SAP considerations an unrestricted file add bug in SAP Provider Relationship Administration (CVE-2025-42910, CVSS rating: 9.0) that would allow an attacker to add arbitrary information, together with malicious executables that would influence the confidentiality, integrity, and availability of the appliance.
Whereas there isn’t any proof of those flaws being exploited within the wild, it is important that customers apply the newest patches and mitigations as quickly as doable to keep away from potential threats.
“Deserialization stays the main danger,” Pathlock’s Jonathan Stross stated. “The P4/RMI chain continues to drive essential publicity in AS Java, with SAP issuing each a direct repair and a hardened JVM configuration to scale back gadget‑class abuse.”
