SAP has recently addressed 13 security vulnerabilities, notably enhancing protections against a severe flaw in SAP NetWeaver AS Java that could enable unauthorized command execution.
Identified as CVE-2025-42944 with a CVSS score of 10.0, this vulnerability involves insecure deserialization. An attacker without authentication can exploit the system via the RMI-P4 module by sending a malicious payload to an open port. This could lead to arbitrary operating system command execution, significantly compromising the application’s confidentiality, integrity, and availability.
Although SAP initially addressed this issue last month, security firm Onapsis reports that the latest update introduces additional safeguards against deserialization risks. This includes implementing a JVM-wide filter (jdk.serialFilter) to prevent the deserialization of specific classes, developed in collaboration with the ORL and divided into mandatory and optional sections.
Another critical vulnerability, CVE-2025-42937 (CVSS score: 9.8), is a directory traversal flaw in SAP Print Service. Due to insufficient path validation, an unauthenticated attacker can access parent directories and overwrite system files.
Additionally, SAP has patched an unrestricted file upload vulnerability in SAP Supplier Relationship Management (CVE-2025-42910, CVSS score: 9.0). This flaw allows attackers to upload arbitrary files, including malicious executables, potentially affecting the application’s confidentiality, integrity, and availability.
While there is no evidence of these vulnerabilities being exploited in the wild, it is crucial for users to apply the latest patches and mitigations promptly to prevent potential threats.
Jonathan Stross from Pathlock emphasizes that deserialization remains a significant risk. The P4/RMI chain continues to pose critical exposure in AS Java, prompting SAP to issue both a direct fix and a hardened JVM configuration to mitigate gadget-class abuse.
