SAP has released security fixes for 13 new security issues, including a high-priority update for a critical deserialization bug in its NetWeaver AS Java platform. This vulnerability, tracked as CVE-2025-42944, has a maximum severity score of 10.0 on the CVSS scale. An unauthenticated attacker could exploit this flaw by sending a malicious payload to an open port through the RMI-P4 module. The system would then deserialize this untrusted Java object, allowing the attacker to execute arbitrary OS commands and severely impact the application’s confidentiality, integrity, and availability.
While SAP initially addressed this vulnerability last month, the latest patch offers an additional layer of protection. Security company Onapsis notes that this new fix implements a JVM-wide filter (jdk.serialFilter) that prevents certain classes from being deserialized. This extra safeguard was developed in collaboration with the ORL (Onapsis Research Labs) and provides a list of recommended classes and packages to block, which is divided into both mandatory and optional sections. This approach further reduces the risk posed by insecure deserialization.
Another notable critical vulnerability patched is CVE-2025-42937, which has a CVSS score of 9.8. This flaw is a directory traversal bug found in SAP Print Service. The vulnerability stems from insufficient path validation, which an unauthenticated attacker could leverage to access the parent directory and overwrite critical system files. This could have a significant impact on system stability and data integrity.
In addition to these, SAP also patched a third critical vulnerability: an unrestricted file upload bug in SAP Supplier Relationship Management (CVE-2025-42910) with a CVSS score of 9.0. This flaw could allow an attacker to upload arbitrary files, including malicious executables. If exploited, this could compromise the confidentiality, integrity, and availability of the application and its data.
Although there is no evidence that these specific flaws have been actively exploited in the wild, it is crucial for users to apply these latest patches and mitigations immediately. As Pathlock’s Jonathan Stross points out, deserialization remains a significant risk, and the P4/RMI chain continues to be a major source of critical exposure in AS Java. SAP’s release of a direct fix and a hardened JVM configuration shows the importance of reducing “gadget-class abuse” to protect against these types of attacks.
Reference:
