SAP Patch Fixes Critical CVSS 9.6 Flaw in NetWeaver: Privilege Escalation and System Integrity at Risk

SAP’s June 2025 Security Patch Day addressed a total of 14 new vulnerabilities, including a critical issue and several high-severity flaws that demand immediate attention from enterprises relying on SAP solutions. The most serious vulnerability affects SAP NetWeaver Application Server for ABAP, while three others, rated above CVSS 8.0, affect critical business applications like SAP GRC, SAP Business Warehouse, and SAP BusinessObjects BI.

The first flaw, tracked as CVE-2025-42989, is a critical vulnerability in SAP NetWeaver Application Server for ABAP, where the system fails to enforce proper authorization checks during RFC inbound processing. This flaw allows an authenticated user to escalate privileges and potentially gain broad access across the application. SAP warns that successful exploitation could critically impact both the integrity and availability of the affected system. The vulnerability affects NetWeaver kernel versions 7.89, 7.93, 9.14, and 9.15, and is rated at CVSS 9.6, underscoring the urgency of patching.

A serious information disclosure vulnerability has been identified in SAP GRC (Governance, Risk and Compliance) AC Plugin, tracked as CVE-2025-42982. This issue permits non-administrative users to initiate sensitive transactions and manipulate system credentials, impacting the confidentiality, integrity, and availability of the application. With a CVSS score of 8.8, this flaw poses a significant risk for organizations relying on GRC systems for compliance and access control.

A missing authorization check in SAP Business Warehouse and SAP Plug-In Basis can allow authenticated users to delete arbitrary database tables, resulting in data loss or rendering the system inoperable. Although the attacker cannot read data, this flaw—tracked as CVE-2025-42983—poses a severe risk to system availability and operational continuity. It affects multiple versions of PI_BASIS and SAP_BW, and carries a CVSS score of 8.5.

SAP BusinessObjects Business Intelligence (BI Workspace) suffers from a cross-site scripting (XSS) vulnerability that allows an unauthenticated attacker to embed malicious scripts in shared workspaces. Labeled CVE-2025-23192, this bug lets attackers execute code in the browser of unsuspecting users, risking data theft and interface manipulation. With a CVSS score of 8.2, it represents a high confidentiality risk, particularly in collaborative BI environments.

Organizations using affected SAP components are strongly advised to apply security patches immediately. The critical RFC flaw (CVE-2025-42989) in NetWeaver and the high-severity bugs in GRC, Business Warehouse, and BI Workspace should be prioritized due to their potential to undermine core enterprise functions.

Related Posts:

• Cracking Power BI: Techniques and Tools for Creating Tables from Existing Data
• CISA Adds SAP NetWeaver Zero-Day CVE-2025-31324 to KEV Database
• From Web Shell to Full Control: APT-Style Exploits Surge Against SAP NetWeaver
• CISA Flags Actively Exploited Vulnerabilities in Chrome, SAP, and DrayTek Routers
• A total of 10 Security in SAP was patched