Close Menu
Uncategorized

Critical SAP NetWeaver Patches: Addressing CVSS 10.0 and S/4HANA Vulnerabilities

Staff WriterBy No Comments3 Mins Read6 Views

Summary Points

  1. SAP released critical security updates addressing multiple vulnerabilities in SAP NetWeaver, including three with a CVSS score of 9.0 or higher, posing risks of arbitrary code execution and unauthorized file uploads.

  2. Notable vulnerabilities include CVE-2025-42944 (CVSS 10.0) allowing unauthenticated OS command execution, and CVE-2025-42922 (CVSS 9.9) enabling authenticated non-admin users to upload arbitrary files.

  3. SAP also resolved a high-severity issue in SAP S/4HANA (CVE-2025-42916, CVSS 8.1) that could let privileged attackers delete database content if authorization protections are absent.

  4. While no exploitation of these new vulnerabilities has been detected, immediate application of the updates is crucial for user protection against potential threats.

SAP Addresses Critical Vulnerabilities in NetWeaver

On September 10, SAP released crucial security updates addressing multiple vulnerabilities in SAP NetWeaver. Among these, three critical flaws stand out. Firstly, CVE-2025-42944 holds a CVSS score of 10.0. This deserialization vulnerability allows unauthenticated attackers to execute arbitrary commands on an operating system by sending a malicious payload to an open port in the RMI-P4 module.

Moreover, CVE-2025-42922, with a CVSS score of 9.9, relates to insecure file operations in SAP NetWeaver AS Java. This flaw grants authenticated non-administrative users the potential to upload arbitrary files. Lastly, CVE-2025-42958, scoring 9.1, involves a missing authentication check. It allows highly privileged unauthorized users to access, modify, or delete sensitive information in SAP NetWeaver applications on IBM i-series.

As the security firm Onapsis noted, the first vulnerability can lead to a complete compromise of the application. To mitigate risks temporarily, SAP recommends implementing P4 port filtering at the ICM level.

Exploited Flaws in S/4HANA Under Control

In addition to addressing NetWeaver vulnerabilities, SAP also tackled a high-severity input validation issue in SAP S/4HANA. CVE-2025-42916, with a CVSS score of 8.1, allows attackers with privileged access to ABAP reports to delete database table contents if not protected by an authorization group.

This update comes shortly after SecurityBridge and Pathlock revealed that a recently fixed security defect in SAP S/4HANA, CVE-2025-42957, is under active exploitation. While no evidence suggests that newly disclosed vulnerabilities are currently being exploited, timely application of the patches remains critical for user protection.

As businesses rely heavily on SAP applications, applying these updates swiftly is vital. Doing so not only protects sensitive data but also reinforces the overall integrity of technological systems essential to modern operations.

Expand Your Tech Knowledge

Dive deeper into the world of Cryptocurrency and its impact on global finance.

Explore past and present digital transformations on the Internet Archive.

DataProtection-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.