212/68 Thursday, June 12, 2025
SAP has released its June 2025 security updates, addressing multiple vulnerabilities, including a critical flaw in SAP NetWeaver tracked as CVE-2025-42989, with a CVSS score of 9.6. This vulnerability allows authenticated attackers to bypass authorization checks and escalate privileges, posing significant risks to system integrity and availability. The flaw resides in the Remote Function Call (RFC) framework of the SAP NetWeaver Application Server (AS ABAP) and is related to a missing authorization check on object S_RFC when using Transactional RFC (tRFC) or Queued RFC (qRFC). This oversight enables unauthorized execution of functions under the guise of general authentication, potentially giving attackers system control.
The issue is addressed in SAP Security Note #3600840, which details the technical root cause and mitigation steps. Although exploitation requires prior authentication, the vulnerability significantly increases risk due to the potential for privilege escalation without detection.
In addition to CVE-2025-42989, SAP also resolved five high-severity vulnerabilities, including:
- CVE-2025-42982 (CVSS 8.8) – Information disclosure in SAP GRC (Access Control Plugin)
- CVE-2025-42983 (CVSS 8.5) – Missing authorization checks in SAP Business Warehouse and SAP Plug-In Basis
- CVE-2025-23192 (CVSS 8.2) – Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects BI Workspace
- CVE-2025-42977 (CVSS 7.6) – Directory traversal vulnerability in SAP NetWeaver Visual Composer
- CVE-2025-42994 (CVSS 7.5) – Multiple flaws in SAP MDM Server
SAP has stated that there are currently no known active exploits of these vulnerabilities, but strongly recommends that administrators apply the patches immediately to minimize exposure to potential attacks.
