[Vulnerability Alert] SAP Issues Critical Security Advisory Affecting Multiple Products
publish date :
2025-07-10
update date :
2025-07-10
Source: Ministry of education information & communication security contingency platform
| Publication Number | TACERT-ANA-2025071009072525 | Publication Time | 2025/07/10 09:26 |
| Incident Type | ANA-Vulnerability Alert | Discovery Time | 2025/07/10 09:26 |
| Impact Level | Low | ||
| [Subject] [Vulnerability Alert] SAP Issues Critical Security Advisory Affecting Multiple Products |
|||
| [Content] Forwarded from TWCERTCC-200-202507-00000006 SAP has disclosed several critical vulnerabilities affecting multiple products: CVE-2025-42967 (CVSS: 9.9) Affects SAP S/4HANA and SAP SCM Characteristic Propagation. Attackers with user-level privileges can generate documents via code injection, potentially gaining full control of the affected SAP system. CVE-2025-42980 (CVSS: 9.1) Found in SAP NetWeaver Enterprise Portal Federated Portal Network. Privileged users can upload untrusted or malicious content that, upon deserialization, may compromise the host system. CVE-2025-42964 (CVSS: 9.1) Affects SAP NetWeaver Enterprise Portal Administration. Similar to CVE-2025-42980, allows privileged users to upload harmful content that could lead to system compromise after deserialization. CVE-2025-42966 (CVSS: 9.1) Found in the XML Data Archiving Service of SAP NetWeaver. Authenticated users with administrative rights can exploit Java deserialization vulnerabilities to compromise confidentiality, integrity, and availability of the application. CVE-2025-42963 (CVSS: 9.1) Located in the Java logging feature of SAP NetWeaver Application Server. Authenticated administrators can fully compromise the system through malicious Java deserialization, severely impacting the application and host environment. Information Sharing Level: WHITE (Information content can be publicly disclosed) |
|||
| [Affected Platform] SCMAPO 713, 714 S4CORE 102, 103, 104 S4COREOP 105, 106, 107, 108 SCM 700, 701, 702, 712 EP-RUNTIME 7.50 J2EE-APPS 7.50 LMNWABASICAPPS 7.50 |
|||
| [Recommended Actions] Apply patches provided by SAP: https://support.sap.com/en/my-support/knowledge-base/security-notes-news/july-2025.html |
|||
| [Reference] https://www.twcert.org.tw/tw/cp-169-10236-5d1e9-1.html |
|||
(This notification is for informational purposes only and does not constitute a cybersecurity incident).
If you have questions or suggestions regarding this notification, please feel free to contact us.
Ministry of education information & communication security contingency platform
Website: https://info.cert.tanet.edu.tw/
Phone: +886-7-5250211
Internet Phone: 98400000
E-Mail: service@cert.tanet.edu.tw
If you have questions or suggestions regarding this notification, please feel free to contact us.
Ministry of education information & communication security contingency platform
Website: https://info.cert.tanet.edu.tw/
Phone: +886-7-5250211
Internet Phone: 98400000
E-Mail: service@cert.tanet.edu.tw
Organizer:
Computer Center