On Tuesday, SAP released a security update to address multiple security flaws, including three critical vulnerabilities in SAP NetWeaver.
The vulnerabilities are listed below –
CVE-2025-42944 (CVSS score: 10.0) – SAP NetWeaver degassing vulnerability allows unauthorized attackers to submit malicious payloads to open ports via RMI-P4 modules and execute operating system commands CVE-2025-42922 (CVSS score: 9.9) – NetWeaver as Java, which allows attackers authenticated as non-administrative users to upload any file CVE-2025-42958 (CVSS score: 9.1), lacks the lack of vulnerability in SAP NetWeaver application in IBM I-Series that allows users to read the sensitive users of very good users. Privileged features
“[CVE-2025-42944] According to Onapsis, it allows unauthenticated attackers to send malicious payloads to open ports to execute arbitrary OS commands. As a temporary workaround, customers should add P4 port filtering to the ICM level to prevent unknown hosts from connecting to P4 ports. ”
Also, what is being addressed in SAP is an advanced missing input verification bug in SAP S/4HANA (CVE-2025-42916, CVSS score: 8.1).
The patch arrived days after SecurityBridge and Pathlock revealed that SAP S/4HANA serious security flaws (CVE-2025-42957, CVSS score: 9.9) that were fixed by the company last month were undergoing active exploitation in the wild.
There is no evidence that the newly disclosed issues have been weaponized by bad actors, but it is essential that users move to apply the necessary updates as soon as possible for optimal protection.
Source link
