Ethical Hacking News
Recent patches from SAP have addressed multiple security vulnerabilities in NetWeaver and S/4HANA, including a high-severity bug that was exploited by attackers just days after it was fixed. As enterprises continue to face an increasingly complex cybersecurity landscape, adherence to best practices is essential for protecting sensitive data.
Multiple security vulnerabilities have been addressed in SAP's NetWeaver platform, with severity ranging from 9.1 to 10.0 on the CVSS scale. Vulnerability CVE-2025-42944 allows unauthenticated attackers to execute arbitrary operating system commands through a malicious RMI-P4 module payload. Vulnerability CVE-2025-42922 enables authenticated but non-administrative users to upload arbitrary files to the system via insecure file operations. Vulnerability CVE-2025-42958 allows highly privileged unauthorized users to access sensitive information or perform administrative functions due to a missing authentication check. A high-severity missing input validation bug (CVE-2025-42916) enables attackers with high privilege access to delete arbitrary database table content if not protected by an authorization group.
In a recent release, SAP has addressed multiple security vulnerabilities in its NetWeaver platform, which could result in code execution and the upload of arbitrary files. The severity of these vulnerabilities ranges from 9.1 to 10.0 on the Common Vulnerability Scoring System (CVSS), emphasizing the need for prompt patching and adherence to best practices.
The first vulnerability, CVE-2025-42944, is a deserialization vulnerability in SAP NetWeaver that could allow an unauthenticated attacker to execute arbitrary operating system commands by submitting a malicious payload to an open port through the RMI-P4 module. Onapsis noted that this vulnerability allows an unauthenticated attacker to compromise the application entirely.
The second issue, CVE-2025-42922, is an insecure file operations vulnerability in SAP NetWeaver AS Java that could allow an authenticated but non-administrative user to upload arbitrary files to the system. This breach highlights the importance of strict access controls and regular monitoring for suspicious activity.
The third vulnerability, CVE-2025-42958, is a missing authentication check vulnerability in the SAP NetWeaver application on IBM i-series platforms that could allow highly privileged unauthorized users to access sensitive information or perform administrative functions.
SAP has also addressed a high-severity missing input validation bug in SAP S/4HANA (CVE-2025-42916) which could enable an attacker with high privilege access to ABAP reports to delete arbitrary database table content if not protected by an authorization group. This highlights the need for robust data security measures.
The patches arrive just days after SecurityBridge and Pathlock disclosed that a critical vulnerability in SAP S/4HANA (CVE-2025-42957, CVSS score: 9.9) was recently fixed by the company and had already been exploited by attackers in the wild. Given this information, it is essential for enterprises to move quickly to apply the necessary updates as soon as possible.
To mitigate these vulnerabilities, SAP users should follow best practices such as regularly monitoring their systems for suspicious activity, implementing strict access controls, updating software patches immediately upon release, and conducting thorough security audits to identify potential entry points for attackers.
Related Information:
https://www.ethicalhackingnews.com/articles/SAP-NetWeaver-and-S4HANA-Vulnerabilities-A-Growing-Concern-for-Enterprises-ehn.shtml
https://thehackernews.com/2025/09/sap-patches-critical-netweaver-cvss-up.html
https://securityaffairs.com/182040/security/sap-september-2025-patch-day-fixed-4-critical-flaws.html
https://nvd.nist.gov/vuln/detail/CVE-2025-42944
https://www.cvedetails.com/cve/CVE-2025-42944/
https://nvd.nist.gov/vuln/detail/CVE-2025-42922
https://www.cvedetails.com/cve/CVE-2025-42922/
https://nvd.nist.gov/vuln/detail/CVE-2025-42958
https://www.cvedetails.com/cve/CVE-2025-42958/
https://nvd.nist.gov/vuln/detail/CVE-2025-42916
https://www.cvedetails.com/cve/CVE-2025-42916/
https://nvd.nist.gov/vuln/detail/CVE-2025-42957
https://www.cvedetails.com/cve/CVE-2025-42957/
Published: Tue Sep 9 20:56:35 2025 by llama3.2 3B Q4_K_M
