SAP Patches Critical 10.0 Flaw in NetWeaver: Unauthenticated RCE Risk

SAP has released its October 2025 Security Patch Day, addressing 13 new security notes and 3 updates across multiple enterprise products. The update includes a critical vulnerability (CVE-2025-42944) in SAP NetWeaver AS Java, which received a CVSS score of 10.0, allowing unauthenticated remote code execution.

CVE-2025-42944 – Insecure Deserialization in SAP NetWeaver AS Java (CVSS 10.0 – Critical)

The most severe issue this month, CVE-2025-42944, affects SAP NetWeaver AS Java SERVERCORE 7.50. The flaw stems from insecure deserialization in the RMI-P4 module, which accepts serialized Java objects from network clients. An attacker could send a malicious payload to an open RMI port, leading to arbitrary operating system command execution.

SAP warns that successful exploitation “could lead to arbitrary OS command execution, posing a high impact to the application’s confidentiality, integrity, and availability.”

This vulnerability requires no authentication or user interaction, making it wormable and one of the most dangerous flaws disclosed in SAP products this year. Organizations using NetWeaver AS Java are urged to apply patches immediately or restrict access to RMI-P4 ports as a temporary mitigation.

CVE-2025-42937 – Directory Traversal in SAP Print Service (CVSS 9.8 – Critical)

SAP also patched a directory traversal vulnerability in SAP Print Service (SAPSprint) that could allow unauthenticated attackers to overwrite arbitrary system files. The issue arises from insufficient validation of user-supplied paths, letting attackers escape restricted directories.

As SAP explains, “An unauthenticated attacker could traverse to the parent directory and overwrite system files, causing high impact on confidentiality, integrity and availability.” The flaw affects SAPSprint versions 8.00 and 8.10, and carries a critical CVSS score of 9.8.

CVE-2025-42910 – Unrestricted File Upload in SAP Supplier Relationship Management (CVSS 9.0 – Critical)

Another critical flaw, CVE-2025-42910, affects SAP Supplier Relationship Management (SRM). The product fails to verify file types or content during uploads, allowing authenticated users to upload malicious files.

SAP warns, “Due to missing verification of file type or content, an authenticated attacker can upload arbitrary files. These files could include executables which might be downloaded and executed by the user, hosting malware.”

The vulnerability impacts SRMNXP01 versions 100 and 150, posing a high risk to application servers in procurement environments.

Other High-Severity Vulnerabilities

The October Patch Day also included several other high-severity flaws that require immediate attention:

• A High-priority Denial of Service (DoS) vulnerability, CVE-2025-5115 (CVSS 7.5), affects SAP Commerce Cloud (Versions HY_COM 2205, COM_CLOUD 2211, 2211-JDK21).
• A High-priority Security Misconfiguration vulnerability, CVE-2025-48913 (CVSS 7.1), was reported in SAP Data Hub Integration Suite (Version CX_DATAHUB_INT_PACK 2205).

Medium- and Low-Severity Vulnerabilities

The remaining vulnerabilities, primarily rated Medium or Low, address various issues across a broad range of products:

• An update to a previously released security note from January 2025 addresses CVE-2025-0059, an Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP (CVSS 6.0).
• A Medium-priority Code Injection vulnerability, CVE-2025-42901 (CVSS 5.4), affects SAP Application Server for ABAP.
• A Cross-Site Request Forgery (CSRF) vulnerability, CVE-2025-42908 (CVSS 5.4), was patched in SAP NetWeaver Application Server for ABAP.
• A Medium-priority Directory Traversal vulnerability, CVE-2025-42906 (CVSS 5.3), was fixed in SAP Commerce Cloud.
• A Memory Corruption vulnerability, CVE-2025-42902 (CVSS 5.3), affects SAP NetWeaver AS ABAP and ABAP Platform.
• A Missing Authorization Check vulnerability, CVE-2025-42939 (CVSS 4.3), was disclosed in SAP S/4HANA.
• An update to a security note from April 2025 addresses CVE-2025-31331, an Authorization Bypass vulnerability in SAP NetWeaver (CVSS 4.3).
• A User Enumeration and Sensitive Data Exposure flaw, CVE-2025-42903 (CVSS 4.3), was found in SAP Financial Service Claims Management.
• A Low-priority Deserialization Vulnerability, CVE-2025-31672 (CVSS 3.5), was reported in SAP BusinessObjects.
• A Low-priority Security Misconfiguration vulnerability, CVE-2025-42909 (CVSS 3.0), affects SAP Cloud Appliance Library Appliances.

SAP strongly urges all affected customers to apply the relevant security patches immediately, especially for the critical 10.0 vulnerability in NetWeaver AS Java.

Related Posts:

• SAP Security Patch Day Fixes Four Critical Flaws, Including a CVSS 10.0 RCE (CVE-2025-42944)
• CISA Adds SAP NetWeaver Zero-Day CVE-2025-31324 to KEV Database
• A total of 10 Security in SAP was patched
• From Web Shell to Full Control: APT-Style Exploits Surge Against SAP NetWeaver
• CISA Flags Actively Exploited Vulnerabilities in Chrome, SAP, and DrayTek Routers