Article Details

New SAP NetWeaver Bug Lets Attackers Take Over Servers Without Login. SAP has rolled out security fixes for 13 new security issues, including additional hardening for a maximum-severity bug in SAP NetWeaver AS Java that could result in arbitrary command execution. The vulnerability, tracked as CVE-2025-42944, carries a CVSS score of 10.0. It has been described as a case of insecure deserialization. "Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting a malicious payload to an open port," according to a description of the flag in CVE.org. "The deserialization of such untrusted Java objects could lead to arbitrary OS command execution, posing a high impact to the application's confidentiality, integrity, and availability." While the vulnerability was first addressed by SAP last month, security company Onapsis said the latest fix provides extra safeguards to secure against the risk posed by deserialization. "The additional layer of protection is based on implementing a JVM-wide filter (jdk.serialFilter) that prevents dedicated classes from being deserialized," it noted. "The list of recommended classes and packages to block was defined in collaboration with the ORL and is divided into a mandatory section and an optional section." Another critical vulnerability of note is CVE-2025-42937 (CVSS score: 9.8), a directory traversal flaw in SAP Print Service that arises as a result of insufficient path validation, allowing an unauthenticated attacker to reach the parent directory and overwrite system files. The third critical flaw patched by SAP concerns an unrestricted file upload bug in SAP Supplier Relationship Management (CVE-2025-42910, CVSS score: 9.0) that could permit an attacker to upload arbitrary files, including malicious executables that could impact the confidentiality, integrity, and availability of the application. While there is no evidence of these flaws being exploited in the wild, it's essential that users apply the latest patches and mitigations as soon as possible to avoid potential threats. "Deserialization remains the major risk," Pathlock's Jonathan Stross said. "The P4/RMI chain continues to drive critical exposure in AS Java, with SAP issuing both a direct fix and a hardened JVM configuration to reduce gadget‑class abuse."