SAP released its October 2025 Security Patch Day fixes, addressing 13 new vulnerabilities and updating four prior notes, with several critical flaws in NetWeaver enabling attackers to sidestep authorization and run arbitrary operating system commands on affected systems.
Among the most alarming is CVE-2025-42944, an insecure deserialization issue in SAP NetWeaver AS Java’s RMI-P4 module, rated at a perfect CVSS score of 10.0 for its potential to grant unauthenticated remote attackers full control without any login credentials.
This vulnerability, first patched in September but now bolstered with extra safeguards, underscores the ongoing risks to SAP environments that power global business operations, potentially leading to data breaches, ransomware deployment, or complete system takeovers.
Critical Deserialization Flaw Allows Remote Takeover
The core threat stems from how SAP NetWeaver handles serialized Java objects over its proprietary RMI-P4 protocol, typically exposed on ports like 50004 or 50014, where insufficient validation allows malicious payloads to be deserialized and executed directly on the server.
Attackers can craft these payloads remotely over the network, bypassing all authentication checks and triggering arbitrary OS command execution with the privileges of the NetWeaver process, which often runs with elevated access in enterprise setups.
Onapsis Research Labs collaborated with SAP to identify this risk, noting that exploitation requires no user interaction and could compromise confidentiality, integrity, and availability across connected SAP landscapes.
Affected versions include SERVERCORE 7.50, and while no public proofs-of-concept exist yet, the flaw’s simplicity makes it a prime target for threat actors scanning for unpatched systems.
SAP’s October update to notes 3660659 and 3634501 introduces a JVM-wide filter (jdk.serialFilter) to block dangerous class deserialization, dividing protections into mandatory and optional lists developed with security experts to prevent gadget chains that lead to code execution.
However, complementary issues amplify the danger, such as CVE-2025-31331, an authorization bypass in older NetWeaver versions (SAP_ABA 700 to 75I), allowing low-privileged users to access restricted functions and potentially escalate to command injection.
Another update to note 3441087 covers missing checks in SAP S/4HANA’s purchase contract management, while CVE-2025-42901 enables code injection via the BAPI Browser in ABAP servers, letting authenticated users alter code flows and expose sensitive data [query].
These flaws, with CVSS scores from 4.3 to 5.4, highlight persistent gaps in access controls that could chain with deserialization exploits for deeper intrusions.
Beyond NetWeaver, the patch day tackles related high-severity issues like CVE-2025-42937, a 9.8-rated directory traversal in SAP Print Service versions 8.00 and 8.10, enabling unauthenticated file overwrites, and CVE-2025-42910, a file upload vulnerability in Supplier Relationship Management that escalates to system compromise.
| CVE ID | Note ID | Product | Affected Versions | Severity | CVSS Score | Description |
|---|---|---|---|---|---|---|
| CVE-2025-42944 | 3660659, 3634501 (update) | SAP NetWeaver AS Java (RMI-P4) | SERVERCORE 7.50 | Critical | 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) | Insecure deserialization allowing unauthenticated remote code execution via malicious payloads on open ports. |
| CVE-2025-42937 | 3630595 | SAP Print Service | SAPSPRINT 8.00, 8.10 | Critical | 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) | Directory traversal due to insufficient path validation, enabling unauthenticated file overwrites . |
| CVE-2025-42910 | 3647332 | SAP Supplier Relationship Management | SRMNXP01 100, 150 | Critical | 9.0 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H) | Unrestricted file upload allowing authenticated users with user interaction to achieve system compromise . |
| CVE-2025-5115 | 3664466 | SAP Commerce Cloud (Search and Navigation) | HY_COM 2205, COM_CLOUD 2211, 2211-JDK21 | High | 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) | Denial of service via resource exhaustion in search functionality. |
| CVE-2025-48913 | 3658838 | SAP Data Hub Integration Suite | CX_DATAHUB_INT_PACK 2205 | High | 7.1 (AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) | Security misconfiguration exposing sensitive data over adjacent networks with user interaction . |
| CVE-2025-0059 | 3503138 (update) | SAP NetWeaver Application Server ABAP (SAP GUI for HTML) | KRNL64UC 7.53, KERNEL 7.53, 7.54, 7.77, 7.89, 7.93, 9.12, 9.14 | Medium | 6.0 (AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N) | Information disclosure of client-side input history to high-privilege local attackers. |
| CVE-2025-42901 | 3652788 | SAP Application Server for ABAP (BAPI Browser) | SAP_BASIS 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 816 | Medium | 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) | Code injection allowing low-privileged users to alter code execution flows. |
| CVE-2025-42908 | 3642021 | SAP NetWeaver Application Server for ABAP | KRNL64UC 7.53, KERNEL 7.53, 7.54, 7.77, 7.89, 7.93, 9.16 | Medium | 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) | Cross-site request forgery via inconsistent session handling, bypassing first-screen checks . |
| CVE-2025-42984 | 3441087 (update) | SAP S/4HANA (Manage Central Purchase Contract) | S4CORE 106, 107, 108 | Medium | 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L) | Missing authorization checks allowing low-privileged access to sensitive procurement functions. |
| CVE-2025-42906 | 3634724 | SAP Commerce Cloud | COM_CLOUD 2211 | Medium | 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) | Directory traversal exposing limited file reads without authentication. |
| CVE-2025-42902 | 3627308 | SAP NetWeaver AS ABAP and ABAP Platform | KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53; KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 9.14, 9.15, 9.16 | Medium | 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) | Memory corruption in ticket verification leading to unauthenticated denial of service. |
| CVE-2025-42939 | 3625683 | SAP S/4HANA (Manage Processing Rules for Bank Statements) | S4CORE 104, 105, 106, 107, 108, 109 | Medium | 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) | Missing authorization allowing low-privileged users to manipulate bank statement rules . |
| CVE-2025-31331 | 3577131 (update) | SAP NetWeaver | SAP_ABA 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75D, 75E, 75F, 75G, 75H, 75I | Medium | 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) | Authorization bypass enabling low-privileged access to restricted NetWeaver functions. |
| CVE-2025-42903 | 3656781 | SAP Financial Service Claims Management | INSURANCE 803, 804, 805, 806; S4CEXT 107, 108, 109 | Medium | 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) | User enumeration and sensitive data exposure via RFC functions . |
| CVE-2025-31672 | 3617142 | SAP BusinessObjects (Web Intelligence and Platform Search) | ENTERPRISE 430, 2025, 2027 | Low | 3.5 (AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N) | User enumeration and sensitive data exposure via RFC functions. |
| CVE-2025-42909 | 3643871 | SAP Cloud Appliance Library Appliances | TITANIUM_WEBAPP 4.0 | Low | 3.0 (AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N) | Deserialization flaw allowing low-privileged users with interaction to cause integrity issues. |
Security firms urge immediate patching, emphasizing multi-layered defenses given the rising exploits in SAP ecosystems, as seen in recent zero-days.
SAP advises customers to prioritize these updates via the Support Portal to safeguard against evolving threats in mission-critical applications.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
