Critical Vulnerability Patched in SAP NetWeaver
securityweekSAP has fixed a critical NetWeaver vulnerability allowing attackers to bypass authorization checks and escalate their privileges.
Enterprise software maker SAP on Tuesday announced the release of 14 new security patches as part of its June 2025 Security Patch Day, including a note addressing a critical-severity vulnerability in NetWeaver.
Tracked as CVE-2025-42989 (CVSS score of 9.6), the critical bug is described as a missing authorization check in the NetWeaver application server for ABAP.
According to software security firm Onapsis, the issue resides in the Remote Function Call (RFC) framework and allows attackers to bypass authorization checks and elevate their privileges.
“Under certain conditions, authenticated attackers can bypass the standard authorization check on authorization object S_RFC when using transactional (tRFC) or queued RFCs (qRFC), leading to an escalation of privileges. This allows an attacker to critically impact the application’s integrity and availability,” Onapsis explains.
Organizations that apply SAP’s ...
Copyright of this story solely belongs to securityweek . To see the full text click HERE