SAP has released a new security update addressing a broad range of vulnerabilities across its product ecosystem. Among the most alarming is a critical vulnerability identified in SAP NetWeaver, tracked as CVE-2025-42944, which has received the highest possible severity rating of CVSS 10.0.
This particular flaw allows unauthenticated attackers to execute arbitrary commands remotely, posing a significant threat to enterprise systems running the affected software.
Decoding SAP CVE-2025-42944 Vulnerability
According to SAP’s September 2025 Security Patch Day bulletin, CVE-2025-42944 stems from an insecure deserialization vulnerability within the Remote Method Invocation Protocol (RMI-P4) of SAP NetWeaver SERVERCORE version 7.50.
This vulnerability enables threat actors to deliver specially crafted payloads through an open port, which the system then deserializes and executes, potentially giving attackers full control over the targeted system.
Deserialization is the process of converting data back into an object after it has been serialized for storage or transmission. Improper validation during this process can open the door for serious exploits, such as remote code execution.
Additional High-Severity Vulnerabilities in SAP NetWeaver
In addition to CVE-2025-42944, SAP disclosed three more high-severity flaws in the same platform:
- CVE-2025-42922: An insecure file operations vulnerability in SAP NetWeaver AS Java (Deploy Web Service), rated CVSS 9.9.
- CVE-2023-27500: A directory traversal issue previously identified and updated in the March 2023 Patch Day, affecting SAP NetWeaver AS for ABAP and ABAP Platform, with a CVSS score of 9.6.
- CVE-2025-42958: A missing authentication check in various SAP NetWeaver kernel versions, rated CVSS 9.1.
SAP Security Patch Day
The September 2025 patch release includes 21 new Security Notes and 5 updates to previously released notes. SAP has urged all customers to prioritize the installation of these patches to mitigate the risk of exploitation. The updates address vulnerabilities in several major SAP products, including SAP S/4HANA, SAP Business One, SAP Commerce Cloud, and SAP HCM, among others.
Other Notable Vulnerabilities Patched
- CVE-2025-42933: A flaw related to the insecure storage of sensitive data in SAP Business One (SLD), rated CVSS 8.8.
- CVE-2025-42929 & CVE-2025-42916: Missing input validation vulnerabilities in the SAP Landscape Transformation Replication Server and SAP S/4HANA, both scored at 8.1.
- CVE-2025-27428: A directory traversal issue in SAP NetWeaver and ABAP Platform, updated from the April 2025 Patch Day, rated CVSS 7.7.
- CVE-2025-22228: A security misconfiguration in SAP Commerce Cloud and SAP Datahub involving Spring security, with a CVSS score of 6.6.
- CVE-2025-42930: A denial-of-service (DoS) vulnerability in SAP Business Planning and Consolidation, scored 6.5.
- CVE-2025-42912 to CVE-2025-42914: Multiple missing authorization checks in the SAP HCM My Timesheet Fiori 2.0 application, each rated CVSS 6.5.
- CVE-2025-42920 & CVE-2025-42938: Cross-site scripting (XSS) vulnerabilities in SAP Supplier Relationship Management and NetWeaver ABAP Platform, both scored 6.1.
Medium and Low-Risk Issues Also Addressed
While the most attention-grabbing flaws were rated critical or high, SAP also resolved several medium- and low-severity vulnerabilities:
- CVE-2025-42961: An update addressing a missing authorization check in SAP NetWeaver Application Server for ABAP, rated 4.9.
- CVE-2025-42941: A reverse tabnabbing vulnerability in SAP Fiori Launchpad, scored 3.5.
- CVE-2025-42927: An information disclosure flaw due to outdated OpenSSL versions in SAP NetWeaver AS Java (Adobe Document Service), rated 3.4.
- CVE-2024-13009: A potential resource release issue in SAP Commerce Cloud.
SAP strongly recommends that all customers log into the SAP Support Portal and apply the necessary security patches immediately to protect their systems. Unpatched vulnerabilities, especially those like CVE-2025-42944, pose a serious risk and can lead to system compromise, data theft, or service disruption.
