Enterprise software program maker SAP on Tuesday introduced the discharge of 14 new safety patches as a part of its June 2025 Safety Patch Day, together with a word addressing a critical-severity vulnerability in NetWeaver.
Tracked as CVE-2025-42989 (CVSS rating of 9.6), the vital bug is described as a lacking authorization examine within the NetWeaver utility server for ABAP.
Based on software program safety agency Onapsis, the difficulty resides within the Distant Perform Name (RFC) framework and permits attackers to bypass authorization checks and elevate their privileges.
“Below sure situations, authenticated attackers can bypass the usual authorization examine on authorization object S_RFC when utilizing transactional (tRFC) or queued RFCs (qRFC), resulting in an escalation of privileges. This permits an attacker to critically influence the appliance’s integrity and availability,” Onapsis explains.
Organizations that apply SAP’s word might have to assign extra S_RFC permissions to some customers, the safety agency factors out.
On June 2025 Safety Patch Day, SAP additionally launched 5 safety notes that tackle high-severity flaws, six that resolve medium-severity bugs, and two coping with low-severity points.
The high-severity vulnerabilities embody an info disclosure in GRC (AC Plugin), a lacking authorization examine in Enterprise Warehouse and Plug-In Foundation, an XSS defect in BusinessObjects, a listing traversal flaw in NetWeaver Visible Composer, and a number of bugs in MDM Server.
Profitable exploitation of those vulnerabilities might permit attackers to switch or management transmitted system credentials, delete database tables, entry delicate session info, learn and modify arbitrary recordsdata, trigger a denial-of-service situation, and acquire management of present shopper periods.Commercial. Scroll to proceed studying.
Between the Might Safety Patch Day and the contemporary batch of fixes, SAP additionally up to date 4 safety notes, together with two that resolve high-severity flaws in BusinessObjects and Panorama Transformation (PCL Foundation).
SAP makes no point out of any of those vulnerabilities being exploited in assaults, however customers are suggested to replace their purposes as quickly as doable, particularly following the widespread exploitation of two current NetWeaver bugs.
Associated: SAP Patches One other Exploited NetWeaver Vulnerability
Associated: SAP Zero-Day Focused Since January, Many Sectors Impacted
Associated: Cisco Patches Essential ISE Vulnerability With Public PoC
