New SAP NetWeaver Bug Lets Attackers Take Over Servers Without Login

Steven

New SAP NetWeaver Bug Lets Attackers Take Over Servers Without Login

Summary

SAP has issued fixes for 13 security issues in its October 2025 patch cycle, including a maximum-severity insecure deserialization flaw in SAP NetWeaver AS Java (CVE-2025-42944) that carries a CVSS score of 10.0. The flaw allows an unauthenticated attacker to send a malicious payload to the RMI-P4 module and achieve arbitrary OS command execution.

SAP’s latest update adds extra hardening: a JVM-wide serialisation filter (jdk.serialFilter) to block specific classes from being deserialised. Other critical fixes include a directory traversal bug in SAP Print Service (CVE-2025-42937, CVSS 9.8) and an unrestricted file upload issue in SAP Supplier Relationship Management (CVE-2025-42910, CVSS 9.0). There is no public evidence of active exploitation, but vendors and security researchers urge immediate remediation.

Key Points

  • CVE-2025-42944 is an insecure deserialization bug in NetWeaver AS Java (RMI-P4) with CVSS 10.0 allowing unauthenticated arbitrary command execution.
  • SAP’s mitigation includes a JVM-wide jdk.serialFilter that blocks dangerous classes; recommended blocklists were developed with external researchers/ORL.
  • Two other critical fixes: a directory traversal in SAP Print Service (CVE-2025-42937, CVSS 9.8) and an unrestricted file upload in SAP SRM (CVE-2025-42910, CVSS 9.0).
  • No confirmed in-the-wild exploitation so far — but the risk is high due to the unauthenticated nature of the flaws.
  • Organisations should apply October patches and adopt the hardened JVM serialisation filter and any recommended class/package blocklists immediately.
  • Deserialization and the P4/RMI chain remain recurring high-risk vectors in AS Java deployments.

Context and Relevance

This is highly relevant to any organisation running SAP NetWeaver or other SAP Java-based components. Deserialization vulnerabilities in Java have repeatedly produced critical remote code execution paths, and SAP’s RMI/P4 chain has been a recurring source of exposure. The introduction of jdk.serialFilter as a JVM-wide control reflects a shift toward defensive hardening at the platform level rather than just patching individual gadgets.

Why should I read this

If you manage SAP systems, don’t ignore this. TL;DR: critical, unauthenticated RCE in NetWeaver + two other severe bugs = urgent patching and config changes. We’ve sketched the must-know bits so you can act fast — patch, enable the serial filter and review exposed RMI endpoints.

Source

Source: https://thehackernews.com/2025/10/new-sap-netweaver-bug-lets-attackers.html