SAP has rolled out safety fixes for 13 new safety points, together with further hardening for a maximum-severity bug in SAP NetWeaver AS Java that might lead to arbitrary command execution.
The vulnerability, tracked as CVE-2025-42944, carries a CVSS rating of 10.0. It has been described as a case of insecure deserialization.
“As a consequence of a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker may exploit the system by the RMI-P4 module by submitting a malicious payload to an open port,” in response to an outline of the flag in CVE.org.
“The deserialization of such untrusted Java objects may result in arbitrary OS command execution, posing a excessive affect to the appliance’s confidentiality, integrity, and availability.”
Whereas the vulnerability was first addressed by SAP final month, safety firm Onapsis mentioned the newest repair supplies additional safeguards to safe towards the chance posed by deserialization.
“The extra layer of safety is predicated on implementing a JVM-wide filter (jdk.serialFilter) that forestalls devoted courses from being deserialized,” it famous. “The listing of really helpful courses and packages to dam was outlined in collaboration with the ORL and is split into a compulsory part and an elective part.”
One other important vulnerability of notice is CVE-2025-42937 (CVSS rating: 9.8), a listing traversal flaw in SAP Print Service that arises on account of inadequate path validation, permitting an unauthenticated attacker to succeed in the guardian listing and overwrite system recordsdata.
The third important flaw patched by SAP considerations an unrestricted file add bug in SAP Provider Relationship Administration (CVE-2025-42910, CVSS rating: 9.0) that might allow an attacker to add arbitrary recordsdata, together with malicious executables that might affect the confidentiality, integrity, and availability of the appliance.
Whereas there isn’t any proof of those flaws being exploited within the wild, it is important that customers apply the newest patches and mitigations as quickly as attainable to keep away from potential threats.
“Deserialization stays the foremost threat,” Pathlock’s Jonathan Stross mentioned. “The P4/RMI chain continues to drive important publicity in AS Java, with SAP issuing each a direct repair and a hardened JVM configuration to cut back gadget‑class abuse.”
Elevate your perspective with NextTech Information, the place innovation meets perception.
Uncover the newest breakthroughs, get unique updates, and join with a world community of future-focused thinkers.
Unlock tomorrow’s developments right this moment: learn extra, subscribe to our e-newsletter, and turn out to be a part of the NextTech neighborhood at NextTech-news.com
