Home Innovation SAP SAP Fixes 13 Weaknesses, Inclu...

SAP Fixes 13 Weaknesses, Including a Major NetWeaver Deserialization Issue

SAP

BusinessHonor - SAP Fixes Major NetWeaver Issue

Business Honor
15 October, 2025

SAP fixed a major NetWeaver issue that allows hackers to run harmful commands remotely.

13 new weaknesses have been fixed by SAP, showing a major weakness in SAP NetWeaver AS Java that could let attackers take over hacked systems. With the greatest severity level of 10.0, the issue, identified as CVE-2025-42944, allows unauthorized hackers to take advantage of the RMI-P4 module by sending unwanted data to open ports. The main reason is incomplete deserialization, that lets attackers launch harmful operating system commands when harmful Java objects are processed. This could seriously threaten the system's availability, privacy, and security.

SAP first fixed this issue last month, but according to security firm Onapsis, the most recent update improves security by using a JVM-wide filter named jdk.serialFilter. By blocking harmful Java programs and modules from getting deserialized, this filter makes it harder for attackers to utilize this weakness. SAP's Offensive Research Labs (ORL) helped build the list of limited classes that include both necessary and optional blocks for better safety. CVE-2025-42937, a directory traversal problem in SAP Print Service (CVSS score 9.8) that allows attackers to access and alter important system files without logging in, is one of the several major weaknesses that has been fixed. Another weakness in SAP is CVE-2025-42910, Supplier Relationship Management (score 9.0) that allows attackers to upload unwanted information, like ransomware, without restrictions.

Even if there haven't been attacks detected yet, security experts stress the importance of installing the updates as soon as possible to reduce any risks. Pathlock's Jonathan Stross stated that the P4/RMI module continues to offer serious dangers, and deserialization issues are still an active attack technique. In order to create smarter, safer software in the future, SAP and other software developers are expected to develop AI-powered security systems that are capable of automatically identifying and preventing risks like deserialization attacks in real time.