SAP NetWeaver, a core foundation for many of the company’s enterprise applications like ERP and CRM, has been impacted by three critical vulnerabilities. The most severe flaw, CVE-2025-42944 (CVSS 10.0), is an insecure deserialization vulnerability in the RMIP4 module that could allow an unauthenticated attacker to execute OS commands by sending a malicious Java object. While the P4 port is meant for internal use, misconfigurations can expose it to wider networks or the internet, increasing the risk.
SAP’s security bulletin for September highlights several serious vulnerabilities that could pose a significant risk to large enterprise networks. The most critical issue, identified as CVE-2025-42944, is an insecure deserialization flaw within the RMIP4 component of SAP NetWeaver. This vulnerability, which received a maximum severity score of 10 out of 10, could allow an unauthenticated attacker to remotely execute arbitrary operating system commands. By sending a specially crafted malicious Java object to an open P4 port, an attacker can exploit this flaw to compromise the system.
A second critical vulnerability, CVE-2025-42922 (CVSS score of 9.9), was also patched in SAP NetWeaver AS Java. This insecure file operations bug allows an authenticated user with non-administrative access to upload arbitrary files. The flaw is located in the web service deployment functionality, and its exploitation could lead to a full system compromise. The ability to upload malicious files gives an attacker a foothold to escalate privileges and gain control over the system.
The third critical flaw addressed is a missing authentication check, CVE-2025-42958 (CVSS score of 9.1), also affecting SAP NetWeaver. This issue allows unauthorized but high-privileged users to read, modify, or delete sensitive data and access administrative functions. While it requires an existing user account with specific privileges, the vulnerability bypasses crucial authentication checks, making it easier for an attacker who has already breached part of the system to gain further access and manipulate critical data.
In addition to the critical flaws, SAP also patched several high-severity vulnerabilities. These include CVE-2025-42933 in SAP Business One SLD, which involves insecure storage of sensitive data like credentials. Other high-severity issues include CVE-2025-42929 in SLT Replication Server and CVE-2025-42916 in S/4HANA, both of which involve missing input validation that could allow attackers to corrupt, manipulate, or gain unauthorized access to data.
Given that SAP products are often used by large organizations to manage mission-critical data, these vulnerabilities are a high-value target for threat actors. Earlier this month, a critical code injection vulnerability, CVE-2025-42957, was being actively exploited. System administrators are strongly urged to apply the recommended patches and follow the mitigation advice provided by SAP to prevent potential exploitation of these and other vulnerabilities.
Reference:
