SAP has announced a security patch in October 2025, which overcomes a total of 13 new vulnerabilities and 3 updates in its many corporate products. Central to this patch was the severe vulnerability CVE – 2025-42944 in the SAP NetWeaver AS Java platform, which was rated an absolute score of 10.0, allowing remote code execution without authentication. This is considered one of the most dangerous errors ever discovered in the SAP ecosystem this year.

SAP 1.png

According to the technical description, CVE-2025-42944 derives from the unsafe data processing mechanism in the RMI-P4 module of NetWeaver AS Java version 7.50 SERVERCORE. This component is responsible for processing Java objects transmitted over the network, but does not properly control input data. An attacker may send a packet containing malicious objects to an open RMI port, forcing the server to sequence and execute arbitrary code on the operating system. SAP warns that successful exploitation can lead to full control of the system, seriously affecting the security, integrity and functionality of the application.

The vulnerability is particularly dangerous because it does not require login or interaction from users, making it likely to spread between systems on its own. Experts estimate that as long as an unpatched NetWeaver AS Java server is exposed to the Internet, the attacker can easily hack and install malicious code remotely. SAP recommends that organizations deploy the patch immediately; in case this is not possible, it is urgently necessary to limit access to RMI – P4 ports as a temporary measure.

In the same patch, SAP also addressed another critical vulnerability codenamed CVE-2025-42937 in the print service S.A.P.Sprint, which was rated 9.8. This error involved a breach of directory access, allowing unauthenticated attackers to override system files by sending a path designed to exit the restricted directory. Once exploited, the vulnerability can cause serious damage to the entire print system and platform services, directly threatening the security and stability of the server.

The October patch additionally fixed CVE-2025-42910, a file loading error not limited to the SAP SRM vendor relations management system. Due to the lack of a mechanism for checking file formats and contents, attackers may upload malicious files, including executable files, thus paving the way for malicious code spreading or for hijacking of applications. This flaw affects the SRMNXP01 100 and 150 versions, posing a particularly large risk to SM systems that are undertaking procurement operations and supply chain management in the enterprise.

In addition to three serious errors, this month’s update overcomes many high-level vulnerabilities, including a service denial error in the SAP Commerce Cloud with a score of 7.5 and an error in security configuration errors in the data integration toolkit SAp Data Hub with a 7.1. These errors can cause the service to be disrupted or exploited to expand the range of attacks in a corporate data integration environment.

Medium and low level bugs published by SAP on the same episode were mainly related to information leaks, code insertion, CSRF attacks and decentralized test errors in platforms such as NetWeaver, S/4HANA and BusinessObjects. Some patches also update vulnerabilities that were previously published in the year such as information leakage errors in NetWeaver AS ABAP and permission checkser omission errors within NetWweaver.

SAP recommends users and businesses to quickly deploy patches to avoid the risk of exploitation.

According to Security Online