SAP on Tuesday introduced 21 new and 4 up to date safety notes, together with 4 notes that deal with critical-severity vulnerabilities in NetWeaver.
Probably the most extreme of the bugs is CVE-2025-42944 (CVSS rating of 10/10), an insecure deserialization subject within the RMI-P4 module of AS Java that permits unauthenticated attackers to submit malicious payloads to an open port and execute arbitrary OS instructions.
Profitable exploitation of the safety defect may enable an attacker to take over the weak NetWeaver infrastructure, disrupt system availability, and compromise system confidentiality.
Subsequent in line is CVE-2025-42922 (CVSS rating of 9.9), described as an insecure file operation flaw in NetWeaver AS Java’s Deploy Internet Service, which permits attackers to add arbitrary information, doubtlessly resulting in distant code execution.
“On file execution, the system could be totally compromised,” enterprise software safety agency Onapsis explains.
The third critical-severity vulnerability SAP patched as a part of its September 2025 safety patch day is CVE-2025-42958 (CVSS rating of 9.1), a lacking authorization examine subject in NetWeaver operating on IBM i-series.
The bug requires excessive privileges for profitable exploitation and permits attackers to learn, modify, or delete delicate info, in addition to to entry administrative or privileged performance.
SAP additionally up to date a safety word initially launched in March 2023, which addresses a important listing traversal defect in NetWeaver AS ABAP.Commercial. Scroll to proceed studying.
On Tuesday, SAP launched three new safety notes resolving high-severity flaws in Enterprise One (SLD), Panorama Transformation Replication Server, and S/4HANA (Non-public Cloud or On-Premise), and up to date a high-priority word that resolves a NetWeaver and ABAP Platform bug.
Profitable exploitation of those safety defects may enable attackers to show credentials, delete arbitrary tables not protected by an authorization group, or entry important info.
The remaining safety notes resolve medium- and low-severity points that would result in denial-of-service (DoS), CSRF and XSS assaults, info disclosure, knowledge tampering, privilege escalation, and entry to restricted performance.
SAP makes no point out of any of those vulnerabilities being exploited within the wild, however customers are suggested to use the patches as quickly as doable. Risk actors are recognized to have exploited SAP flaws for which patches have been launched.
Associated: US, Allies Push for SBOMs to Bolster Cybersecurity
Associated: Gene Sequencing Big Illumina Settles for $9.8M Over Product Vulnerabilities
Associated: Safety Theater or Actual Protection? The KPIs That Inform the Reality
Associated: Why LinkedIn Developed Its Personal AI-Powered Safety Platform
