SAP on Tuesday announced 21 new and four updated security notes, including four notes that address critical-severity vulnerabilities in NetWeaver.
The most severe of the bugs is CVE-2025-42944 (CVSS score of 10/10), an insecure deserialization issue in the RMI-P4 module of AS Java that allows unauthenticated attackers to submit malicious payloads to an open port and execute arbitrary OS commands.
Successful exploitation of the security defect could allow an attacker to take over the vulnerable NetWeaver infrastructure, disrupt system availability, and compromise system confidentiality.
Next in line is CVE-2025-42922 (CVSS score of 9.9), described as an insecure file operation flaw in NetWeaver AS Java’s Deploy Web Service, which allows attackers to upload arbitrary files, potentially leading to remote code execution.
“On file execution, the system can be fully compromised,” enterprise application security firm Onapsis explains.
The third critical-severity vulnerability SAP patched as part of its September 2025 security patch day is CVE-2025-42958 (CVSS score of 9.1), a missing authorization check issue in NetWeaver running on IBM i-series.
The bug requires high privileges for successful exploitation and allows attackers to read, modify, or delete sensitive information, as well as to access administrative or privileged functionality.
SAP also updated a security note initially released in March 2023, which addresses a critical directory traversal defect in NetWeaver AS ABAP.
On Tuesday, SAP released three new security notes resolving high-severity flaws in Business One (SLD), Landscape Transformation Replication Server, and S/4HANA (Private Cloud or On-Premise), and updated a high-priority note that resolves a NetWeaver and ABAP Platform bug.
Successful exploitation of these security defects could allow attackers to expose credentials, delete arbitrary tables not protected by an authorization group, or access critical information.
The remaining security notes resolve medium- and low-severity issues that could lead to denial-of-service (DoS), CSRF and XSS attacks, information disclosure, data tampering, privilege escalation, and access to restricted functionality.
SAP makes no mention of any of these vulnerabilities being exploited in the wild, but users are advised to apply the patches as soon as possible. Threat actors are known to have exploited SAP flaws for which patches have been released.
Related: US, Allies Push for SBOMs to Bolster Cybersecurity
Related: Gene Sequencing Giant Illumina Settles for $9.8M Over Product Vulnerabilities
Related: Security Theater or Real Defense? The KPIs That Tell the Truth
Related: Why LinkedIn Developed Its Own AI-Powered Security Platform
