409/68 Friday, October 17, 2025
SAP has issued a security update addressing 13 newly discovered vulnerabilities, including one critical flaw with the highest severity rating (CVSS 10.0), tracked as CVE-2025-42944 in SAP NetWeaver. The issue, categorized as Insecure Deserialization, allows attackers to execute malicious commands. This vulnerability can be exploited remotely without authentication via the RMI-P4 module. By sending specially crafted payloads to an open port, attackers can trigger unsafe deserialization of Java objects, enabling direct execution of operating system-level commands. This affects the confidentiality, integrity, and availability of the system.
Other critical vulnerabilities addressed include:
- CVE-2025-42937 (CVSS 9.8) – A Directory Traversal flaw in SAP Print Service (SAPSprint), allowing unauthenticated attackers to overwrite system files.
- CVE-2025-42910 (CVSS 9.0) – An Unrestricted File Upload vulnerability in SAP Supplier Relationship Management (SRM), which permits attackers to upload malicious files that could lead to malware propagation.
Although there is currently no evidence of these vulnerabilities being exploited in the wild, SAP strongly urges all users to apply the patches immediately. The NetWeaver vulnerability poses a particularly severe risk, as the system is widely used by large enterprises globally.
Source https://securityaffairs.com/183420/security/sap-fixed-maximum-severity-bug-in-netweaver.html
