CISOs with SAP NetWeaver AS Java servers in their environments should make sure admins patch two highly critical vulnerabilities as soon as possible.
They are among the most important of the monthly Patch Tuesday fixes issued today by a number of vendors.
The worst NetWeaver vulnerability, CVE-2025-42944, rated 10 on the CVSS scale, is an insecure deserialization vulnerability in the RMI-P4 module of an AS Java deployment.
“The vulnerability allows an unauthenticated attacker to execute arbitrary OS commands by submitting a malicious payload to an open port,” noted security researchers at Onapsis. “A successful exploit can lead to full compromise of the application,” they said in a blog.
As a temporary workaround until the patch can be installed, admins should add P4 port filtering at the ICM level to prevent unknown hosts from connecting to the P4 port.
This vulnerability could be exploited using a similar attack to the one published a few weeks ago by a suspected merged group of threat actors that researchers call Scattered LAPSUS$ ShinyHunters, Onapsis CTO Juan Pablo Perez-Etchegoyen told CSO. “The sole fact of being it a deserialization vulnerability, exploitable in an unauthenticated way, makes it very critical,” he said. “The positive side of this vulnerability for defenders is that it is exploitable through a protocol that is not typically internet-facing, the RMI-P4 SAP protocol.”
Deserialization vulnerabilities are common in products like NetWeaver, Johannes Ullrich, the SANS Institute’s dean of research, told CSO. For example, he said, Oracle WebLogic, NetWeaver’s direct competitor, has been affected by numerous similar vulnerabilities.
The second worst NetWeaver AS Java hole, with a CVSS score of 9.9, is an insecure file operations vulnerability. This service flaw allows an attacker, authenticated as a non-administrative user, to upload arbitrary files. On execution of the file, the system can be fully compromised. Perez-Etchegoyen noted that this vulnerability can be exploited over HTTP, which he said makes it very critical. However, it requires an authenticated user to exploit it, adding an extra hurdle for attackers.
Also needing patching is a missing authentication check in NetWeaver applications running on IBM i-series to close a vulnerability allowing high privileged unauthorized users to read, modify, or delete sensitive information, as well as access administrative or privileged functionalities. The hole is rated 9.1 on the CVSS scale.
Perez-Etchegoyen recommends CISOs have their staff act as quickly as possible on today’s most critical fixes, the ones tagged CVSS 9.9 and 10.
However, he added, the eight HotNews and High Priority Notes are also important, and should be triaged, analyzed and ideally addressed as soon as possible.
Microsoft patches
Meanwhile Microsoft released fixes for 13 critical vulnerabilities, including a zero day, as part of its September Patch Tuesday effort.
For the third time this year, Microsoft patched more elevation of privilege vulnerabilities than remote code execution flaws, noted Satnam Narang, senior staff research engineer at Tenable, pointing out that nearly half of all bugs this month are privilege escalation vulnerabilities. Many of this type of flaw addressed each Patch Tuesday requires an attacker to have gained access to a target system first (post-compromise) before attempting to elevate privileges, Narang added.
Controversy over SMB fix
One of the zero day vulnerabilities patched this month is CVE-2025-55234, a privilege escalation flaw in Windows Server Message Block (SMB) that has already been publicly disclosed. In some configurations, the flaw could make SMB Server susceptible to relay attacks, Microsoft said. This patch appears to have been released to help customers audit and assess their environment and identify incompatibility issues prior to utilizing some of the hardening capabilities for SMB Servers, Narang said.
This patch is an example of some September patches that require additional activities beyond deployment, commented Mike Walters, president of Action1. Organizations must first deploy the updates to enable auditing, then assess compatibility before taking SMB Server hardening measures, which include signing and implementing Extended Protection for Authentication. CISOs should plan a phased approach to the hardening, covering assessment, testing, and implementation, to avoid business disruption, Walters advised.
However, Tyler Reguly, associate director of R&D at Fortra, said, “[this listing] made me do a double take” and should have been rejected by CVE authorities. “We know that relay attacks are possible against SMB and we know that there are hardening mechanisms available to assist with this. So, why is Microsoft releasing a CVE where they state, “Microsoft is releasing this CVE to provide customers with audit capabilities to help them to assess their environment and to identify any potential device or software incompatibility issues before deploying SMB Server hardening measures that protect against relay attacks?”
“As far as I’m concerned,” he said, “Microsoft told us they have assigned a CVE not because of a vulnerability, but to raise awareness to new auditing capabilities that they’ve added to assist with protective measures. If that is the case, that is a misuse of the CVE system. If that is not the case, then Microsoft needs to provide clarification very quickly.”
CISOs should ask Microsoft if there truly is a vulnerability associated with this CVE, he said. “If this is a vendor using a CVE simply to add a feature, that is something that CSOs everywhere need to push back against,” he said. “There are enough legitimate CVEs being issued that we shouldn’t have to worry about CVEs without new vulnerabilities. This just adds complexity to an already complex situation.”
Vulnerabilities in Hyper-V
Windows admins should also pay attention to quickly fixing two vulnerabilities (CVE-2025-54098 and CVE-2025-55224) in the Windows Hyper-V hypervisor. Improper access control in Hyper-V can allow an authorized attacker to elevate privileges locally, Microsoft said.
These holes demand close attention from CISOs managing enterprise data centers, according Walters of Action1. “These guest-to-host escape flaws could put entire virtualization hosts running critical workloads at risk,” he said. “Security leaders should work closely with data center and virtualization teams to apply these patches quickly in production environments.”
Another priority for enterprise security leaders that Walters drew attention to is CVE-2025-54918, a Windows NTLM Elevation of Privilege vulnerability. NTLM is a suite of protocols for user authorization. With an 8.8 CVSS score, the flaw affects centrally managed authentication infrastructure and could let attackers gain SYSTEM-level privileges across networks, he said. Microsoft has rated it as ‘Exploitation More Likely,’ he pointed out, signaling higher urgency than other similar vulnerabilities less likely for exploit. “Security teams should patch domain controllers and authentication servers promptly, potentially accelerating normal patch cycles for these critical systems,” he said.
Since 2022 Microsoft has patched a number of NTFS file system vulnerabilities in Windows, Tenable’s Narang said, with the majority of these flaws resulting in information disclosure or privilege escalation. However, this month Microsoft patched its second remote code execution vulnerability in NTFS in 2025. The first, CVE-2025-24993, was patched in March and was exploited in the wild as a zero-day. While this one does not appear to have been exploited, it is still certainly worth keeping an eye on, since NTFS is the primary file system used by Windows, Narang said.
Vulnerability in HPC Pack
Fortra’s Reguly flagged a critical vulnerability in the Microsoft High Performance Compute (HPC) Pack (CVE-2025-55232 ) that could allow unauthorized attackers to execute code over the network. “That makes this a CVSS 9.8 vulnerability and one that people need to pay attention to,” he said. Microsoft has provided mitigation steps for those who cannot update immediately. This is important, Reguly said, as the update for HPC Pack 2016 is to migrate to HPC Pack 2019; there is no fix for HPC Pack 2016. “Thankfully, Microsoft has labelled this as exploitation less likely, with a severity of important,” he said, “but it is still something that you’ll want to pay attention to if you have the High Performance Compute Pack deployed in your environment.”
Kevin Breen, senior director of threat research at Immersive, noted that while no Microsoft vulnerabilities this month are marked as being actively exploited in the wild, “that doesn’t mean security teams can sit back and rest on their laurels. There are still a number of potentially high-impact vulnerabilities that should be patched quickly. Threat actors are known to try to quickly reverse engineer security patches to create working exploits before organizations have a chance to fully roll out patches; these are commonly referred to as n-day vulnerabilities.”
He feels the previously mentioned Windows NTLM vulnerability (CVE-2025-54918) should be high on the list of patches to apply, because its marked by Microsoft as ‘Exploitation More Likely.’
No Responses