Ethical Hacking News
SAP has released a critical security patch to address four major vulnerabilities in its NetWeaver software, which is widely used by businesses worldwide. The patches were issued as part of the company's September Patch Day, a regular scheduled release that aims to fix bugs and vulnerabilities in SAP's products. Don't miss this important security alert and learn how to protect your business from these critical vulnerabilities.
The SAP NetWeaver software has released a critical security patch to address four major vulnerabilities. The most severe vulnerability is an insecure deserialization issue (CVE-2025-42944) that allows an unauthenticated attacker to execute arbitrary OS commands. Other critical vulnerabilities include insecure file operations (CVE-2025-42922), a missing authentication check (CVE-2025-42958), and a directory traversal flaw (CVE-2023-27500). Businesses should apply the patches as soon as possible to prevent significant security breaches.
SAP has recently released a critical security patch to address four major vulnerabilities in its NetWeaver software, which is widely used by businesses worldwide. The patches were issued as part of the company's September Patch Day, a regular scheduled release that aims to fix bugs and vulnerabilities in SAP's products.
The most severe vulnerability, tracked as CVE-2025-42944, is an insecure deserialization issue in the RMI-P4 module, which allows an unauthenticated attacker to execute arbitrary OS commands by submitting malicious payloads. This could lead to a full compromise of the application, making it essential for businesses to patch this vulnerability as soon as possible.
Another critical vulnerability, CVE-2025-42922, is related to insecure file operations, where non-admin users can upload and execute arbitrary files, risking full system compromise. SAP has released a hotfix to address this issue, which should be applied by all customers using NetWeaver AS ABAP.
The third critical vulnerability, CVE-2025-42958, is a missing authentication check in SAP NetWeaver BC-OP-AS4. This vulnerability could allow an attacker to bypass security checks and gain unauthorized access to the system. SAP has released a hotfix to address this issue, which should be applied by all customers using BC-OP-AS4.
The fourth critical vulnerability, CVE-2023-27500, is a directory traversal flaw in NetWeaver AS ABAP. This vulnerability could allow an attacker to access sensitive files and data on the system. SAP has released a hotfix to address this issue, which should be applied by all customers using NetWeaver AS ABAP.
It's essential for businesses to take these vulnerabilities seriously and apply the patches as soon as possible. According to Onapsis Research Labs, "The vulnerability allows an unauthenticated attacker to execute arbitrary OS commands by submitting malicious payload to an open port. A successful exploit can lead to full compromise of the application."
SAP has provided temporary workarounds for some of these vulnerabilities, such as adding P4 port filtering at the ICM level to prevent unknown hosts from connecting to the P4 port. However, these workarounds are not a substitute for applying the patches.
In conclusion, SAP's September 2025 Patch Day is a critical security alert that requires immediate attention from businesses using NetWeaver software. The four major vulnerabilities addressed by this patch are severe and could lead to significant security breaches if left unaddressed. We strongly recommend that all customers apply these patches as soon as possible.
Related Information:
https://www.ethicalhackingnews.com/articles/SAP-September-2025-Patch-Day-A-Critical-Security-Alert-for-Businesses-ehn.shtml
https://securityaffairs.com/182040/security/sap-september-2025-patch-day-fixed-4-critical-flaws.html
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/september-2025.html
https://nvd.nist.gov/vuln/detail/CVE-2023-27500
https://www.cvedetails.com/cve/CVE-2023-27500/
https://nvd.nist.gov/vuln/detail/CVE-2025-42922
https://www.cvedetails.com/cve/CVE-2025-42922/
https://nvd.nist.gov/vuln/detail/CVE-2025-42944
https://www.cvedetails.com/cve/CVE-2025-42944/
https://nvd.nist.gov/vuln/detail/CVE-2025-42958
https://www.cvedetails.com/cve/CVE-2025-42958/
Published: Tue Sep 9 16:35:55 2025 by llama3.2 3B Q4_K_M
