Ethical Hacking News
SAP has issued a warning about high-severity vulnerabilities in its NetWeaver and S/4HANA products, which can be exploited by hackers with minimal system rights. The company urges users to patch soon to minimize the risk of exploitation.
SAP has issued warnings about high-severity vulnerabilities in multiple products, including its flagship product NetWeaver. The deserialization vulnerability has a severity rating of 9.9 and can be exploited by hackers with minimal system rights. Other affected products include SAP Business One, SAP Landscape Transformation Replication Server, and SAP Commerce Cloud. The vulnerabilities allow unauthenticated attackers to execute commands and escalate into full control of the SAP environment.
SAP, a leading provider of enterprise resource planning (ERP) software, has issued warnings about high-severity vulnerabilities in multiple products. The company's flagship product, NetWeaver, is the most vulnerable, with a maximum-severity threat rating of 10 out of 10. This vulnerability allows unauthenticated attackers to execute commands by submitting malicious payloads to an open port.
The deserialization vulnerability, which has a severity rating of 9.9, affects three other high-severity vulnerabilities in NetWeaver. According to SAP, these vulnerabilities can be exploited by hackers with minimal system rights, allowing them to mount a complete system compromise with minimal effort required. The attack complexity is low and can be performed over the network, making it an attractive target for threat actors.
The severity of the vulnerability was highlighted by SecurityBridge, a security firm that reported that a separate high-severity vulnerability SAP patched last month was under active exploitation in the wild. This vulnerability, tracked as CVE-2025-42957 and carrying a severity rating of 9.9, resides in the SAP S/4HANA ERP software suite developed for managing large organizations' complex business processes.
The security firm warned that this flaw allows hackers to execute commands by submitting malicious payloads to an open port, making it possible for them to escalate into full control of the SAP environment. The post makes no mention of active exploitation, but SAP has issued a warning about the vulnerability, urging users to patch soon.
In addition to NetWeaver and S/4HANA, other products affected by this vulnerability include SAP Business One, SAP Landscape Transformation Replication Server, SAP Commerce Cloud, SAP Datahub, SAP Business Planning and Consolidation, SAP HCM, SAP BusinessObjects Business Intelligence Platform, SAP Supplier Relationship Management, and Fiori. Severity ratings of those vulnerabilities range from 3.1 to 8.8.
SAP has more information on its security page, where users can find further details about the vulnerability and how to patch it. It is essential for users of these products to take immediate action to minimize the risk of exploitation.
In conclusion, SAP's recent warning about high-severity vulnerabilities in multiple products highlights the importance of keeping software up-to-date and patched. The severity of these vulnerabilities makes them an attractive target for threat actors, and users must take proactive steps to protect their systems.
Related Information:
https://www.ethicalhackingnews.com/articles/SAP-Warns-of-High-Severity-Vulnerabilities-in-Multiple-Products-ehn.shtml
https://arstechnica.com/security/2025/09/as-hackers-exploit-one-high-severity-sap-flaw-company-warns-of-3-more/
https://cybersecuritynews.com/19-vulnerabilities-across-multiple-products-patched/
Published: Tue Sep 9 15:49:15 2025 by llama3.2 3B Q4_K_M
