SAP Patches Critical NetWeaver Vulnerabilities
securityweek
SAP on Tuesday announced 21 new and four updated security notes, including four notes that address critical-severity vulnerabilities in NetWeaver.
The most severe of the bugs is CVE-2025-42944 (CVSS score of 10/10), an insecure deserialization issue in the RMI-P4 module of AS Java that allows unauthenticated attackers to submit malicious payloads to an open port and execute arbitrary OS commands.
Successful exploitation of the security defect could allow an attacker to take over the vulnerable NetWeaver infrastructure, disrupt system availability, and compromise system confidentiality.
Next in line is CVE-2025-42922 (CVSS score of 9.9), described as an insecure file operation flaw in NetWeaver AS Java’s Deploy Web Service, which allows attackers to upload arbitrary files, potentially leading to remote code execution.
“On file execution, the system can be fully compromised,” enterprise application security firm Onapsis explains.
The third critical-severity vulnerability SAP patched as part of its September 2025 ...
Copyright of this story solely belongs to securityweek . To see the full text click HERE