How ZeroPath Works
Back to Blog

SAP NetWeaver Java Log Viewer Hit by Critical Deserialization Flaw (CVE-2025-42963)

A critical Java deserialization vulnerability (CVE-2025-42963) in SAP NetWeaver Application Server's Log Viewer allows attackers full system compromise.
CVE Analysis

6 min read

ZeroPath Security Research

ZeroPath Security Research

2025-07-07

SAP NetWeaver Java Log Viewer Hit by Critical Deserialization Flaw (CVE-2025-42963)

Introduction

SAP NetWeaver, a foundational enterprise platform powering critical business processes for thousands of global organizations, is facing a severe security threat. A critical Java deserialization vulnerability (CVE-2025-42963) in its Log Viewer component has emerged, posing a significant risk of full system compromise.

Technical Information

The vulnerability resides in the SAP NetWeaver Application Server for Java Log Viewer, specifically in its handling of serialized Java objects. Authenticated administrators can exploit this flaw by uploading malicious serialized objects (.ser files) via the diagnostic interface. The Log Viewer component lacks adequate validation mechanisms, allowing these malicious payloads to execute embedded gadget chains upon deserialization. The exploitation process leverages Java reflection APIs, ultimately invoking java.lang.Runtime.exec() to execute arbitrary OS commands with sapadm privileges. This vulnerability is categorized under CWE-502 (Deserialization of Untrusted Data), highlighting the critical nature of input validation in deserialization processes.

Attack Vector and Exploitation

  1. Initial Access: Requires authenticated administrator privileges.
  2. Payload Delivery: Malicious serialized object files uploaded via Log Viewer diagnostic interface.
  3. Execution: JVM deserializes the object, triggering execution of embedded gadget chains.
  4. Impact: Full OS-level compromise, affecting confidentiality, integrity, and availability.

Affected Systems and Versions

  • SAP NetWeaver Application Server for Java (specific affected versions not detailed in provided information).
  • Log Viewer component specifically vulnerable to unsafe Java object deserialization.

Vendor Security History

SAP has historically encountered similar Java deserialization vulnerabilities, notably CVE-2017-9844 and CVE-2024-22127. The vendor typically demonstrates a prompt response, with critical patches released within approximately 28 days. However, recurring vulnerabilities indicate ongoing challenges in secure Java coding practices.

References

Organizations are advised to prioritize remediation measures immediately, given the high likelihood of imminent exploitation attempts.

Source: This report was created using AI

If you have suggestions for improvement or feedback, please reach out to us at [email protected]

Detect & fix
what others miss

Get startedBook a demo