SAP has published security fixes for 13 new security issues, including additional hardening for a maximum severity bug in SAP NetWeaver AS Java that could lead to arbitrary command execution.
This vulnerability is tracked as CVE-2025-42944 and has a CVSS score of 10.0. This is described as a case of unsafe deserialization.
According to the flag description on CVE.org, “A deserialization vulnerability in SAP NetWeaver could allow an unauthenticated attacker to exploit the system via the RMI-P4 module by sending a malicious payload to an open port.”
“Such untrusted deserialization of Java objects can lead to the execution of arbitrary OS commands, significantly impacting application confidentiality, integrity, and availability.”
The vulnerability was first addressed by SAP last month, but security firm Onapsis said the latest fix provides additional safeguards against the risks posed by deserialization.
“An additional layer of protection is based on the implementation of a JVM-wide filter (jdk.serialFilter) that prevents deserialization of proprietary classes,” the paper said. “The list of recommended classes and packages to block has been defined in collaboration with ORL and is divided into required and optional sections.”
Another critical vulnerability to note is CVE-2025-42937 (CVSS score: 9.8). This is a directory traversal flaw in SAP Print Services, resulting from insufficient path validation, which could allow an unauthenticated attacker to reach the parent directory and overwrite system files.
The third critical flaw patched by SAP concerns the SAP Supplier Relationship Management unrestricted file upload bug (CVE-2025-42910, CVSS score: 9.0), which could allow an attacker to upload arbitrary files, including malicious executables, that could affect the confidentiality, integrity, and availability of the application.
Although there is no evidence that these flaws have been exploited in the wild, it is important that users apply the latest patches and mitigations as soon as possible to avoid potential threats.
Pathlock’s Jonathan Stross said, “Deserialization remains a big risk.” “The P4/RMI chain remains at significant risk in AS Java, and SAP has issued both direct fixes and hardened JVM configurations to reduce exploits of the gadget class.”
Source link
