SAP has released updates addressing 13 security flaws, with special focus on a critical vulnerability in SAP NetWeaver AS Java that could allow attackers to execute arbitrary commands.
Tracked as CVE-2025-42944, this flaw has a CVSS score of 10.0, making it highly severe. Security experts classify it as an insecure deserialization issue.
According to CVE.org, “An unauthenticated attacker could exploit the SAP NetWeaver system via the RMI-P4 module by sending a malicious payload to an open port. Deserialization of untrusted Java objects can lead to arbitrary operating system command execution, threatening the confidentiality, integrity, and availability of the application.”
Although SAP addressed the vulnerability last month, security firm Onapsis emphasized that the latest patch adds extra protection against deserialization attacks. This protection involves a JVM-wide filter (jdk.serialFilter) to block certain classes from being deserialized. Recommended classes and packages are divided into mandatory and optional sections, developed in collaboration with ORL.
Other notable critical vulnerabilities include:
- CVE-2025-42937 (CVSS 9.8): A directory traversal flaw in SAP Print Service caused by weak path validation, enabling attackers to access parent directories and overwrite system files.
- CVE-2025-42910 (CVSS 9.0): An unrestricted file upload vulnerability in SAP Supplier Relationship Management, allowing attackers to upload malicious executables that can compromise the system’s security.
Currently, there is no evidence that these vulnerabilities are being actively exploited in the wild. Nevertheless, applying the latest patches immediately is strongly recommended to minimize potential risks.
Jonathan Stross from Pathlock noted, “Deserialization continues to pose the highest risk. The P4/RMI chain remains a critical attack vector in AS Java. SAP’s updates, including hardened JVM configuration, help reduce gadget-class exploitation.”
