335/68 Thursday, September 11, 2025
SAP has issued security updates addressing multiple vulnerabilities, including three critical flaws affecting SAP NetWeaver and one high-severity flaw in SAP S/4HANA. The details are as follows:
- CVE-2025-42944 (CVSS 10.0): An insecure deserialization vulnerability in the RMI-P4 module, allowing attackers to send malicious payloads to open ports and execute operating system commands without authentication.
- CVE-2025-42922 (CVSS 9.9): An insecure file operations vulnerability in NetWeaver AS Java, enabling non-admin users to upload and execute malicious files.
- CVE-2025-42958 (CVSS 9.1): A missing authentication check in SAP NetWeaver on IBM i-series, which could allow unauthorized users to read, modify, or delete critical data and even access admin functions.
- CVE-2025-42916 (CVSS 8.1): A missing input validation issue in SAP S/4HANA, allowing high-privileged attackers to delete database table entries if not properly protected by an authorization group.
In addition, CVE-2025-42957 (CVSS 9.9) in S/4HANA, which was patched in August 2025, has already been confirmed as under active exploitation. While there are currently no reports of the newly disclosed vulnerabilities being exploited, security experts strongly urge organizations to apply the latest patches immediately to reduce the risk of compromise.
Source https://thehackernews.com/2025/09/sap-patches-critical-netweaver-cvss-up.html
