New SAP NetWeaver Bug Lets Attackers Take Over Servers Without...

10 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Description

SAP has rolled out security fixes for 13 new security issues, including additional hardening for a maximum-severity bug in SAP NetWeaver AS Java that could result in arbitrary command execution.

The vulnerability, tracked as CVE-2025-42944, carries a CVSS score of 10.0. It has been described as a case of insecure deserialization.

"Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting a malicious payload to an open port," according to a description of the flag in CVE.org.

DFIR Retainer Services

"The deserialization of such untrusted Java objects could lead to arbitrary OS command execution, posing a high impact to the application's confidentiality, integrity, and availability."

While the vulnerability was first addressed by SAP last month, security company Onapsis said the latest fix provides extra safeguards to secure against the risk posed by deserialization.

"The additional layer of protection is based on implementing a JVM-wide filter (jdk.serialFilter) that prevents dedicated classes from being deserialized," it noted. "The list of recommended classes and packages to block was defined in collaboration with the ORL and is divided into a mandatory section and an optional section."

Another critical vulnerability of note is CVE-2025-42937 (CVSS score: 9.8), a directory traversal flaw in SAP Print Service that arises as a result of insufficient path validation, allowing an unauthenticated attacker to reach the parent directory and overwrite system files.

The third critical flaw patched by SAP concerns an unrestricted file upload bug in SAP Supplier Relationship Management (CVE-2025-42910, CVSS score: 9.0) that could permit an attacker to upload arbitrary files, including malicious executables that could impact the confidentiality, integrity, and availability of the application.

CIS Build Kits

While there is no evidence of these flaws being exploited in the wild, it's essential that users apply the latest patches and mitigations as soon as possible to avoid potential threats.

"Deserialization remains the major risk," Pathlock's Jonathan Stross said. "The P4/RMI chain continues to drive critical exposure in AS Java, with SAP issuing both a direct fix and a hardened JVM configuration to reduce gadget‑class abuse."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Visit Original Source

Basic Information

ID THN:612527094B2F2AB5601443C776FC8111

Published Oct 15, 2025 at 05:36

{
    "lastseen": "2025-10-15T05:37:58",
    "description": "![](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)\n\nSAP has rolled out security fixes for 13 new security issues, including additional hardening for a maximum-severity bug in SAP NetWeaver AS Java that could result in arbitrary command execution.\n\nThe vulnerability, tracked as CVE-2025-42944, carries a CVSS score of 10.0. It has been described as a case of insecure deserialization.\n\n\"Due to a deserialization vulnerability in SAP NetWeaver, an unauthenticated attacker could exploit the system through the RMI-P4 module by submitting a malicious payload to an open port,\" according to a description of the flag in CVE.org.\n\n![DFIR Retainer Services](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)\n\n\"The deserialization of such untrusted Java objects could lead to arbitrary OS command execution, posing a high impact to the application's confidentiality, integrity, and availability.\"\n\nWhile the vulnerability was first addressed by SAP last month, security company Onapsis said the latest fix provides extra safeguards to secure against the risk posed by deserialization.\n\n\"The additional layer of protection is based on implementing a JVM-wide filter (jdk.serialFilter) that prevents dedicated classes from being deserialized,\" it noted. \"The list of recommended classes and packages to block was defined in collaboration with the ORL and is divided into a mandatory section and an optional section.\"\n\nAnother critical vulnerability of note is CVE-2025-42937 (CVSS score: 9.8), a directory traversal flaw in SAP Print Service that arises as a result of insufficient path validation, allowing an unauthenticated attacker to reach the parent directory and overwrite system files.\n\nThe third critical flaw patched by SAP concerns an unrestricted file upload bug in SAP Supplier Relationship Management (CVE-2025-42910, CVSS score: 9.0) that could permit an attacker to upload arbitrary files, including malicious executables that could impact the confidentiality, integrity, and availability of the application.\n\n![CIS Build Kits](data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mP8Xw8AAoMBgDTD2qgAAAAASUVORK5CYII=)\n\nWhile there is no evidence of these flaws being exploited in the wild, it's essential that users apply the latest patches and mitigations as soon as possible to avoid potential threats.\n\n\"Deserialization remains the major risk,\" Pathlock's Jonathan Stross said. \"The P4/RMI chain continues to drive critical exposure in AS Java, with SAP issuing both a direct fix and a hardened JVM configuration to reduce gadget\u2011class abuse.\" \n\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.\n",
    "published": "2025-10-15T05:36:00",
    "modified": "2025-10-15T05:36:11",
    "type": "thn",
    "title": "New SAP NetWeaver Bug Lets Attackers Take Over Servers Without Login",
    "source": "",
    "references": "",
    "id": "THN:612527094B2F2AB5601443C776FC8111",
    "bulletinFamily": "info",
    "cwe": null,
    "cvelist": [
        "CVE-2025-42910",
        "CVE-2025-42937",
        "CVE-2025-42944"
    ],
    "sourceData": "",
    "sourceHref": "",
    "cvss": {
        "score": 10,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://thehackernews.com/2025/10/new-sap-netweaver-bug-lets-attackers.html",
    "category_name": "News",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

New SAP NetWeaver Bug Lets Attackers Take Over Servers Without Login_THN:612527094B2F2AB5601443C776FC8111

Description

Basic Information

💭 Join the Security Discussion ❌ Cancel Reply