[Security Vulnerability Warning] SAP issues major security announcement for several of its products

 
2025/9/12 ~ 2026/3/12
View Count:30

Forwarded by Taiwan Computer Network Crisis Response and Coordination Center (TWCERTCC-200-202509-00000006)

[Description]
[CVE-2025-42944, CVSS: 10.0] SAP NetWeaver has a deserialization vulnerability. An unauthenticated attacker can send malicious payloads to an open port via the RMI-P4 module, thereby executing arbitrary operating system commands, posing a potential threat to the confidentiality, integrity, and availability of the application.

[CVE-2025-42922, CVSS: 9.9] SAP NetWeaver AS Java has a vulnerability that allows an attacker with administrative authentication to upload arbitrary files, potentially compromising the confidentiality, integrity, and availability of the system.

[CVE-2025-42958, CVSS: 9.1] The SAP NetWeaver application on IBM i-series lacks authentication checks, allowing unauthorized users with elevated privileges to read, modify, or delete sensitive data and further access administrative functions or perform operations with privileged permissions, posing a significant risk to the confidentiality, integrity, and availability of the application.

[CVE-2025-42933, CVSS: 8.8] When users log in through the SAP Business One native client, the SLD backend service fails to enforce proper encryption for some APIs, potentially exposing sensitive credentials in the HTTP response body. This could severely impact the confidentiality, integrity, and availability of the application.

[Influence Platform]
【CVE-2025-42944】 SAP Netweaver (RMI-P4) SERVERCORE 7.50
【CVE-2025-42922】 SAP NetWeaver AS Java J2EE-APPS 7.50
【CVE-2025-42958】 SAP NetWeaver KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, KERNEL 7.22, 7.53, 7.54
【CVE-2025-42933】 SAP Business One (SLD) B1_ON_HANA 10.0, SAP-M-BO 10.0

[Recommended Action]
Patch according to the solution released on the official website:
https://support.sap.com/en/my-support/knowledge-base/security-notes-news/september-2025.html

[References]
1. SAP Security Patch Day - September 2025: https://support.sap.com/en/my-support/knowledge-base/security-notes-news/september-2025.html

2. CVE-2025-42944: https://www.cve.org/CVERecord?id=CVE-2025-42944

3. CVE-2025-42922: https://www.cve.org/CVERecord?id=CVE-2025-42922

4. CVE-2025-42958: https://www.cve.org/CVERecord?id=CVE-2025-42958

5. CVE-2025-42933: https://www.cve.org/CVERecord?id=CVE-2025-42933

Files
None
【Back】
Top↑