Critical SAP NetWeaver Flaw Allows Attackers to Execute Arbitrary Code
gbhackersA critical security vulnerability has been discovered in SAP NetWeaver AS Java Deploy Service that enables authenticated attackers to execute arbitrary code and potentially achieve complete system compromise.
The flaw, tracked as CVE-2025-42922, affects the Deploy Web Service component and poses significant risks to organizations running affected SAP environments.
Vulnerability Details and Attack Vector
The vulnerability stems from insecure file upload mechanisms and insufficient access control validation within the Deploy Web Service, as per a report by Redrays.
The core issue involves improper handling of multipart/form-data requests without adequate role-based access control (RBAC) enforcement or file type validation.
This security gap allows authenticated users with low-level privileges to bypass intended restrictions and upload malicious files to the system.
| CVE Number | Affected Product | Impact Assessment | CVSS 3.1 Score |
| CVE-2025-42922 | SAP NetWeaver AS Java Deploy Service | Critical – Arbitrary code execution and full system compromise | Not specified – Critical severity ... |
Copyright of this story solely belongs to gbhackers . To see the full text click HERE