SAP has rolled out security fixes for 13 new security points, together with further hardening for a maximum-severity bug in SAP NetWeaver AS Java that might end in arbitrary command execution.
The vulnerability, tracked as CVE-2025-42944, carries a CVSS rating of 10.0. It has been described as a case of insecure deserialization.
“Resulting from a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker might exploit the system via the RMI-P4 module by submitting a malicious payload to an open port,” in response to an outline of the flag in CVE.org.
“The deserialization of such untrusted Java objects might result in arbitrary OS command execution, posing a excessive influence to the applying’s confidentiality, integrity, and availability.”
Whereas the vulnerability was first addressed by SAP final month, security firm Onapsis stated the most recent repair supplies additional safeguards to safe towards the danger posed by deserialization.
“The extra layer of safety is predicated on implementing a JVM-wide filter (jdk.serialFilter) that forestalls devoted courses from being deserialized,” it famous. “The record of beneficial courses and packages to dam was outlined in collaboration with the ORL and is split into a compulsory part and an optionally available part.”
One other vital vulnerability of word is CVE-2025-42937 (CVSS rating: 9.8), a listing traversal flaw in SAP Print Service that arises because of inadequate path validation, permitting an unauthenticated attacker to achieve the guardian listing and overwrite system information.
The third vital flaw patched by SAP considerations an unrestricted file add bug in SAP Provider Relationship Administration (CVE-2025-42910, CVSS rating: 9.0) that might allow an attacker to add arbitrary information, together with malicious executables that might influence the confidentiality, integrity, and availability of the applying.
Whereas there isn’t a proof of those flaws being exploited within the wild, it is important that customers apply the most recent patches and mitigations as quickly as attainable to keep away from potential threats.
“Deserialization stays the key threat,” Pathlock’s Jonathan Stross stated. “The P4/RMI chain continues to drive vital publicity in AS Java, with SAP issuing each a direct repair and a hardened JVM configuration to cut back gadget‑class abuse.”
