SAP Security Patch Day Fixes Four Critical Flaws, Including a CVSS 10.0 RCE (CVE-2025-42944)

Today, SAP released 21 new Security Notes and 4 updates as part of its monthly Security Patch Day. Among these updates, four vulnerabilities were rated critical, each posing significant risks to enterprise environments. The remaining issues, though rated high to low, also warrant close attention due to their potential to affect core SAP systems.

CVE-2025-42944: Insecure Deserialization in SAP NetWeaver (RMI-P4)

The most severe issue disclosed this month is an insecure deserialization flaw in SAP NetWeaver’s RMI-P4 module. SAP warns: “An unauthenticated attacker could exploit the system through the RMI-P4 module by submitting malicious payload to an open port. The deserialization of such untrusted Java objects could lead to arbitrary OS command execution, posing a high impact to the application’s confidentiality, integrity, and availability.” Rated CVSS 10.0, this vulnerability could allow attackers to achieve full remote code execution without authentication, making it a top priority for patching.

CVE-2025-42922: Insecure File Operations in SAP NetWeaver AS Java

Another critical bug affects SAP NetWeaver AS Java (Deploy Web Service). The flaw allows authenticated non-administrative users to upload arbitrary files through a vulnerable service. Once executed, such files could compromise the confidentiality, integrity, and availability of the affected system. The advisory notes: “SAP NetWeaver AS Java allows an attacker authenticated as a non-administrative user to use a flaw in an available service to upload an arbitrary file. This file when executed can lead to a full compromise.” With a CVSS score of 9.9, exploitation could enable attackers to escalate privileges and fully control the application server.

CVE-2023-27500: Directory Traversal in SAP NetWeaver AS for ABAP and ABAP Platform

SAP also updated a previously disclosed issue — a directory traversal vulnerability impacting multiple versions of SAP NetWeaver AS for ABAP and ABAP Platform. According to the updated advisory: “An attacker with non-administrative authorizations can exploit a directory traversal flaw in program SAPRSBRO to over-write system files. In this attack, no data can be read but potentially critical OS files can be over-written making the system unavailable.” With a CVSS score of 9.6, the primary risk is denial of service through file corruption, potentially crippling affected systems.

CVE-2025-42958: Missing Authentication Check in SAP NetWeaver

The fourth critical issue lies in SAP NetWeaver running on IBM i-series systems. SAP describes it as a “missing authentication check in the SAP NetWeaver application… [that] allows high privileged unauthorized users to read, modify, or delete sensitive information, as well as access administrative or privileged functionalities.” This flaw, rated CVSS 9.1, can directly impact confidentiality, integrity, and availability, making it especially dangerous in enterprise deployments.

Other Vulnerabilities

Beyond the four critical issues, SAP addressed 17 additional vulnerabilities, spanning high to low severity. Notable highlights include:

• CVE-2025-42933 (CVSS 8.8) – Insecure storage of sensitive information in SAP Business One (SLD).
• CVE-2025-42929 (CVSS 8.1) – Missing input validation in SAP Landscape Transformation Replication Server.
• CVE-2025-42916 (CVSS 8.1) – Missing input validation in SAP S/4HANA.
• CVE-2025-27428 (CVSS 7.7) – Directory traversal in SAP NetWeaver and ABAP Platform.

Multiple medium-severity flaws such as misconfigurations in SAP Commerce Cloud, denial-of-service risks in SAP Business Planning and Consolidation, and several missing authorization checks across SAP HCM, Fiori apps, and NetWeaver.

Low-severity issues included information disclosure, predictable identifiers, and outdated component risks in products like SAP NetWeaver AS Java and SAP Commerce Cloud.

Organizations are strongly advised to apply the patches immediately and review their systems for potential exposure, especially in internet-facing SAP components.

Related Posts:

• A total of 10 Security in SAP was patched
• CISA Adds SAP NetWeaver Zero-Day CVE-2025-31324 to KEV Database
• From Web Shell to Full Control: APT-Style Exploits Surge Against SAP NetWeaver
• CISA Flags Actively Exploited Vulnerabilities in Chrome, SAP, and DrayTek Routers
• SAP Patch Day August 2025: Critical Code Injection Flaws Threaten Core ERP Systems