A vital vulnerability CVE-2025-42922 has been found in SAP NetWeaver that permits an authenticated, low-privileged attacker to execute arbitrary code and obtain a full system compromise.
The flaw resides within the Deploy Internet Service add mechanism, the place inadequate entry management validation permits the add and execution of malicious information.
This vulnerability poses a major threat to organizations counting on affected SAP methods, as it may be exploited to realize full management over the server.
SAP NetWeaver Vulnerability
In response to Vahagn Vardanian, the foundation reason for the vulnerability is an insecure file add operate inside the Deploy Internet Service.
The service incorrectly accepts multipart/form-data requests with out correct Function-Primarily based Entry Management (RBAC) enforcement or validation of the file sort and content material.
This oversight is because of incorrect authentication annotations and inadequate function checks within the software’s code.
SAP NetWeaver Vulnerability
Consequently, an attacker who has obtained any legitimate low-level consumer credentials can bypass safety controls that ought to limit file deployment capabilities to administrative customers solely, Vahagn Vardanian mentioned.
The mechanism fails to confirm if the authenticated consumer has the mandatory permissions to carry out such a delicate operation, making a direct path to code execution.
An attacker can exploit this vulnerability by first having access to a low-privileged consumer account.
Utilizing these credentials, they will authenticate to the weak Deploy Internet Service and craft a multipart request containing a malicious file, akin to a JavaServer Pages (JSP) script.
The appliance improperly accepts and uploads this file to a listing on the server the place it may be executed.
The attacker then merely must set off the execution of the uploaded file by accessing its URL. Profitable exploitation leads to arbitrary code execution with the privileges of the SAP service account.
This permits the menace actor to escalate privileges, transfer laterally throughout the community, exfiltrate delicate knowledge, or deploy additional malware, main to an entire server takeover.
Mitigations
To deal with this vital difficulty, organizations are strongly urged to use the patches launched in SAP Safety Notice 3643865 instantly.
Earlier than patching, directors ought to carry out a dependency evaluation as outlined in SAP Notice 1974464. For methods that can’t be patched straight away, SAP has offered a brief workaround in KBA 3646072.
As a supplementary measure, entry to the Deploy Internet Service ought to be restricted to administrative customers solely.
Safety groups ought to audit system logs for Indicators of Compromise (IOCs), akin to HTTP POST requests to DeployWS endpoints from non-administrative accounts, multipart/form-data submissions containing executable file varieties (JSP, WAR, EAR), or deployment actions occurring at uncommon hours.
A pattern filter for logs or a Internet Software Firewall (WAF) may very well be supply.consumer != “admin” AND http.technique == “POST” AND http.path CONTAINS “DeployWS”.
Discover this Story Fascinating! Observe us on Google Information, LinkedIn, and X to Get Extra On the spot Updates.
