Enterprise software maker SAP on Tuesday announced the release of 14 new security patches as part of its June 2025 Security Patch Day, including a note addressing a critical-severity vulnerability in NetWeaver.
Tracked as CVE-2025-42989 (CVSS score of 9.6), the critical bug is described as a missing authorization check in the NetWeaver application server for ABAP.
According to software security firm Onapsis, the issue resides in the Remote Function Call (RFC) framework and allows attackers to bypass authorization checks and elevate their privileges.
“Under certain conditions, authenticated attackers can bypass the standard authorization check on authorization object S_RFC when using transactional (tRFC) or queued RFCs (qRFC), leading to an escalation of privileges. This allows an attacker to critically impact the application’s integrity and availability,” Onapsis explains.
Organizations that apply SAP’s note may need to assign additional S_RFC permissions to some users, the security firm points out.
On June 2025 Security Patch Day, SAP also released five security notes that address high-severity flaws, six that resolve medium-severity bugs, and two dealing with low-severity issues.
The high-severity vulnerabilities include an information disclosure in GRC (AC Plugin), a missing authorization check in Business Warehouse and Plug-In Basis, an XSS defect in BusinessObjects, a directory traversal flaw in NetWeaver Visual Composer, and multiple bugs in MDM Server.
Successful exploitation of these vulnerabilities could allow attackers to modify or control transmitted system credentials, delete database tables, access sensitive session information, read and modify arbitrary files, cause a denial-of-service condition, and gain control of existing client sessions.
Between the May Security Patch Day and the fresh batch of fixes, SAP also updated four security notes, including two that resolve high-severity flaws in BusinessObjects and Landscape Transformation (PCL Basis).
SAP makes no mention of any of these vulnerabilities being exploited in attacks, but users are advised to update their applications as soon as possible, especially following the widespread exploitation of two recent NetWeaver bugs.
Related: SAP Patches Another Exploited NetWeaver Vulnerability
Related: SAP Zero-Day Targeted Since January, Many Sectors Impacted
Related: Cisco Patches Critical ISE Vulnerability With Public PoC
