Print - 【Vulnerability Alert】SAP has released a critical security advisory affecting multiple products.

【Vulnerability Alert】SAP has released a critical security advisory affecting multiple products.

publish date : 2025-09-16 update date : 2025-09-17

Source: Ministry of education information & communication security contingency platform

"" "" "" ""


Publication Number	TACERT-ANA-2025091208091414	Publication Time	2025/09/12 08:27
Incident Type	ANA-Vulnerability Alert	Discovery Time	2025/09/12 08:27
Impact Level	Low
[Subject] 【Vulnerability Alert】SAP has released a critical security advisory affecting multiple products.
[Content] Forwarded from TWCERTCC-200-202509-00000006 【CVE-2025-42944, CVSS: 10.0】 A deserialization vulnerability exists in SAP NetWeaver. An unauthenticated attacker can send malicious payloads via the RMI-P4 module to externally exposed ports, leading to arbitrary operating system command execution, posing potential threats to the confidentiality, integrity, and availability of the application. 【CVE-2025-42922, CVSS: 9.9】 A vulnerability exists in SAP NetWeaver AS Java that allows an authenticated administrator to upload arbitrary files, which may compromise the confidentiality, integrity, and availability of the system. 【CVE-2025-42958, CVSS: 9.1】 SAP NetWeaver applications on IBM i-series lack proper authentication checks, allowing unauthorized high-privilege users to read, modify, or delete sensitive data, and further access administrative functions or operate with privileged permissions, creating significant risks to the confidentiality, integrity, and availability of the application. 【CVE-2025-42933, CVSS: 8.8】 When users log in through the SAP Business One native client, the SLD backend service does not enforce proper encryption mechanisms for certain APIs, potentially exposing sensitive credentials in the HTTP response body and severely impacting the confidentiality, integrity, and availability of the application. Information Sharing Level: WHITE (Information content can be publicly disclosed)
[Affected Platform] 【CVE-2025-42944】 SAP Netweaver (RMI-P4) SERVERCORE 7.50 【CVE-2025-42922】 SAP NetWeaver AS Java J2EE-APPS 7.50 【CVE-2025-42958】 SAP NetWeaver KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, KERNEL 7.22, 7.53, 7.54 【CVE-2025-42933】 SAP Business One (SLD) B1_ON_HANA 10.0, SAP-M-BO 10.0"
[Recommended Actions] Apply the fixes according to the remediation guidance released on the official website: https://support.sap.com/en/my-support/knowledge-base/security-notes-news/september-2025.html
[Reference] 1. SAP Security Patch Day - September 2025： https://support.sap.com/en/my-support/knowledge-base/security-notes-news/september-2025.html 2. CVE-2025-42944： https://www.cve.org/CVERecord?id=CVE-2025-42944 3. CVE-2025-42922： https://www.cve.org/CVERecord?id=CVE-2025-42922 4. CVE-2025-42958： https://www.cve.org/CVERecord?id=CVE-2025-42958 5. CVE-2025-42933： https://www.cve.org/CVERecord?id=CVE-2025-42933

(This notification is for informational purposes only and does not constitute a cybersecurity incident).
If you have questions or suggestions regarding this notification, please feel free to contact us.
Ministry of education information & communication security contingency platform
Website: https://info.cert.tanet.edu.tw/
Phone: +886-7-5250211
Internet Phone: 98400000
E-Mail: service@cert.tanet.edu.tw

Organizer: Computer Center