SAP has released security patches for 13 new flaws, including a maximum severity vulnerability in SAP NetWeaver that could be exploited for arbitrary command execution.
Critical Vulnerabilities Addressed
The most severe issue, tracked as CVE-2025-42944 (CVSS score of 10.0), is an insecure deserialization flaw in SAP NetWeaver. An unauthenticated attacker could exploit this vulnerability by submitting malicious data to an open port via the RMI-P4 module. The deserialization of these untrusted Java objects could lead to arbitrary operating system command execution, posing a high impact to the confidentiality, integrity, and availability of the application.
SAP also addressed a pair of other critical flaws:
- Directory Traversal in SAP Print Service: Tracked as CVE-2025-42937 (CVSS score of 9.8), this vulnerability in SAP Print Service (SAPSprint) allows unauthenticated attackers to use path traversal techniques to overwrite critical system files.
- Unrestricted File Upload in SAP Supplier Relationship Management: This flaw, CVE-2025-42910 (CVSS score of 9.0), allows an authenticated attacker to upload arbitrary files due to missing content verification. These uploaded files could include executables that might host malware, leading to a high impact on the confidentiality, integrity, and availability of the application.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
