SAP’s October 2025 Security Patch Day has unveiled several critical vulnerabilities within the SAP NetWeaver platform, posing significant risks to enterprise systems worldwide. These flaws could allow attackers to bypass authorization mechanisms and execute arbitrary operating system commands, potentially leading to full system compromise.
CVE-2025-42944: Insecure Deserialization in RMI-P4 Module
Among the most severe issues is CVE-2025-42944, an insecure deserialization vulnerability in SAP NetWeaver AS Java’s RMI-P4 module. This flaw has been assigned a CVSS score of 10.0, indicating its critical nature. The vulnerability arises from inadequate validation of serialized Java objects transmitted over the RMI-P4 protocol, which is typically exposed on ports such as 50004 or 50014. Attackers can exploit this weakness by sending malicious payloads that, when deserialized by the server, allow for the execution of arbitrary OS commands without requiring authentication. This could result in unauthorized access, data breaches, and potential deployment of ransomware.
CVE-2025-31331: Authorization Bypass in Older NetWeaver Versions
Another significant vulnerability, CVE-2025-31331, affects older versions of SAP NetWeaver (SAP_ABA 700 to 75I). This flaw permits low-privileged users to bypass authorization checks, granting them access to restricted functions. Such unauthorized access can lead to privilege escalation and, in some cases, command injection, further compromising system integrity.
Additional Vulnerabilities and Their Implications
The October 2025 patch release also addresses other critical issues:
– CVE-2025-42937: A directory traversal vulnerability in SAP Print Service versions 8.00 and 8.10, with a CVSS score of 9.8. This flaw allows unauthenticated users to overwrite files, potentially leading to data corruption or system instability.
– CVE-2025-42910: An unrestricted file upload vulnerability in SAP Supplier Relationship Management (SRMNXP01 100, 150), rated at 9.0 on the CVSS scale. Authenticated users can exploit this to upload malicious files, leading to remote code execution and system compromise.
Mitigation Measures and Recommendations
To address these vulnerabilities, SAP has released patches and security notes, including updates to notes 3660659 and 3634501, which introduce a JVM-wide filter (jdk.serialFilter) to block dangerous class deserialization. Organizations are strongly advised to:
1. Apply Patches Promptly: Implement the latest security patches provided by SAP to mitigate these vulnerabilities.
2. Restrict Network Access: Limit exposure of critical services by configuring firewalls to restrict access to necessary ports and services.
3. Monitor System Logs: Regularly review logs for unusual activities that may indicate exploitation attempts.
4. Implement Strong Access Controls: Ensure that only authorized personnel have access to sensitive systems and data.
By taking these proactive steps, organizations can significantly reduce the risk posed by these vulnerabilities and protect their SAP NetWeaver environments from potential attacks.
