Jump to the main content block
  1. Home
  2. Information Security
  3. Vulnerability Alert

【Vulnerability Alert】SAP has released a critical security advisory affecting multiple products.

publish date : 2025-09-16 update date : 2025-09-17

Source: Ministry of education information & communication security contingency platform

"" "" "" ""

Publication Number TACERT-ANA-2025091208091414 Publication Time 2025/09/12 08:27
Incident Type ANA-Vulnerability Alert Discovery Time 2025/09/12 08:27
Impact Level Low  
[Subject]
【Vulnerability Alert】SAP has released a critical security advisory affecting multiple products.

[Content]
Forwarded from TWCERTCC-200-202509-00000006

【CVE-2025-42944, CVSS: 10.0】 A deserialization vulnerability exists in SAP NetWeaver. An unauthenticated attacker can send malicious payloads via the RMI-P4 module to externally exposed ports, leading to arbitrary operating system command execution, posing potential threats to the confidentiality, integrity, and availability of the application.

【CVE-2025-42922, CVSS: 9.9】 A vulnerability exists in SAP NetWeaver AS Java that allows an authenticated administrator to upload arbitrary files, which may compromise the confidentiality, integrity, and availability of the system.

【CVE-2025-42958, CVSS: 9.1】 SAP NetWeaver applications on IBM i-series lack proper authentication checks, allowing unauthorized high-privilege users to read, modify, or delete sensitive data, and further access administrative functions or operate with privileged permissions, creating significant risks to the confidentiality, integrity, and availability of the application.

【CVE-2025-42933, CVSS: 8.8】 When users log in through the SAP Business One native client, the SLD backend service does not enforce proper encryption mechanisms for certain APIs, potentially exposing sensitive credentials in the HTTP response body and severely impacting the confidentiality, integrity, and availability of the application.

Information Sharing Level: WHITE (Information content can be publicly disclosed)

[Affected Platform]
【CVE-2025-42944】 SAP Netweaver (RMI-P4) SERVERCORE 7.50

【CVE-2025-42922】 SAP NetWeaver AS Java J2EE-APPS 7.50

【CVE-2025-42958】 SAP NetWeaver KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, KERNEL 7.22, 7.53, 7.54

【CVE-2025-42933】 SAP Business One (SLD) B1_ON_HANA 10.0, SAP-M-BO 10.0"
[Recommended Actions]
Apply the fixes according to the remediation guidance released on the official website: https://support.sap.com/en/my-support/knowledge-base/security-notes-news/september-2025.html

[Reference]
1. SAP Security Patch Day - September 2025:

https://support.sap.com/en/my-support/knowledge-base/security-notes-news/september-2025.html

2. CVE-2025-42944:

https://www.cve.org/CVERecord?id=CVE-2025-42944

3. CVE-2025-42922:

https://www.cve.org/CVERecord?id=CVE-2025-42922

4. CVE-2025-42958:

https://www.cve.org/CVERecord?id=CVE-2025-42958

5. CVE-2025-42933:

https://www.cve.org/CVERecord?id=CVE-2025-42933
(This notification is for informational purposes only and does not constitute a cybersecurity incident).
If you have questions or suggestions regarding this notification, please feel free to contact us.
Ministry of education information & communication security contingency platform
Website: https://info.cert.tanet.edu.tw/
Phone: +886-7-5250211
Internet Phone: 98400000
E-Mail: service@cert.tanet.edu.tw
Organizer: Computer Center
Click Num:
Print