SAP Issues Critical Security Update: Addressing Major Vulnerabilities
SAP has recently rolled out a significant security update aimed at mitigating numerous vulnerabilities across its comprehensive suite of products. Among the most concerning is a critical flaw identified in SAP NetWeaver, designated as CVE-2025-42944, which has been assigned a maximum severity score of CVSS 10.0. This urgent update underscores the importance of robust cybersecurity measures for enterprises utilizing SAP technology.
Understanding the CVE-2025-42944 Vulnerability
According to SAP’s Security Patch Day bulletin for September 2025, CVE-2025-42944 originates from an insecure deserialization vulnerability linked to the Remote Method Invocation Protocol (RMI-P4) within SAP NetWeaver SERVERCORE version 7.50. This flaw has serious implications, permitting unauthenticated attackers to execute arbitrary commands remotely. Consequently, this breach could grant them extensive control over affected enterprise systems.
Deserialization involves converting data back to its original object form after it has been stored or transmitted, and inadequate validation during this process can facilitate severe exploits such as remote code execution. This means threat actors could leverage this vulnerability to deploy specially crafted payloads through an open network port, potentially resulting in disastrous consequences for targeted systems.
Other High-Severity Vulnerabilities in SAP NetWeaver
Alongside the alarming CVE-2025-42944, SAP disclosed three additional high-severity vulnerabilities within the same platform:
-
CVE-2025-42922: This vulnerability involves insecure file operations in SAP NetWeaver AS Java, specifically within Deploy Web Service, with a severity rating of CVSS 9.9.
-
CVE-2023-27500: Previously reported in the March 2023 Patch Day, this directory traversal issue affects SAP NetWeaver AS for ABAP and the ABAP Platform, scoring 9.6.
- CVE-2025-42958: This flaw pertains to a missing authentication check impacting various SAP NetWeaver kernel versions, rated CVSS 9.1.
SAP Security Patch Day Overview
The September 2025 patch release comprises 21 new Security Notes and updates to five previously disclosed issues. SAP strongly advises all customers to prioritize the implementation of these patches to reduce the risk of potential exploitation. These updates target vulnerabilities across various major SAP products, including S/4HANA, Business One, Commerce Cloud, and HCM, protecting enterprises from potential breaches.
Additional Vulnerabilities Addressed
In addition to the critical vulnerabilities highlighted, SAP has also addressed several other notable risks in this patch, including:
-
CVE-2025-42933: Associated with the insecure storage of sensitive data in SAP Business One, rated CVSS 8.8.
-
CVE-2025-42929 and CVE-2025-42916: These vulnerabilities involve missing input validation in the SAP Landscape Transformation Replication Server and SAP S/4HANA, both with a severity of 8.1.
- CVE-2025-27428: A directory traversal issue in SAP NetWeaver and the ABAP Platform, with a CVSS score of 7.7.
Medium and Low-Risk Vulnerabilities Also Resolved
While critical vulnerabilities often grab the most attention, SAP did not neglect medium- and low-risk issues in this update:
-
CVE-2025-42961: This update addresses a missing authorization check in the SAP NetWeaver Application Server for ABAP, rated 4.9.
-
CVE-2025-42941: A reverse tabnabbing vulnerability found in SAP Fiori Launchpad, scored at 3.5.
- CVE-2025-42927: This flaw relates to information disclosure from outdated OpenSSL versions in SAP NetWeaver AS Java, rated 3.4.
Recommendations for SAP Users
SAP strongly encourages its customers to access the SAP Support Portal and promptly apply the necessary security patches to safeguard their systems. Unresolved vulnerabilities like CVE-2025-42944 pose a critical threat, potentially leading to system compromises, data breaches, or service disruptions. Timely updates can significantly enhance the security posture of organizations reliant on SAP software, ensuring they remain protected against emerging cyber threats.
