Skip to main content
A Singapore Government Agency Website How to identify
Official website links end with .gov.sg
Government agencies communicate via .gov.sg websites (e.g. go.gov.sg/open). Trusted websites
Secure websites use HTTPS
Look for a lock () or https:// as an added precaution. Share sensitive information only on official, secure websites.

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
Alerts

Critical Vulnerabilities in SAP NetWeaver

12 September 2025

SAP has released security updates addressing critical vulnerabilities in SAP NetWeaver. Users and administrators of affected product versions are strongly advised to update to the latest versions immediately.

Update

As part of SAP's Security Patch Day - October 2025, SAP has released security patches further addressing CVE-2025-42944 and some vulnerabilities in it's other products. For more information, please refer to: https://support.sap.com/en/my-support/knowledge-base/security-notes-news/bulletin-2025.html#:~:text=SAP%20Security%20Patch%20Day%20%2D%20October%202025

Background

SAP has released security updates addressing critical vulnerabilities (CVE-2025-42944, CVE-2025-42922, CVE-2025-42958) in SAP NetWeaver. 

Impact

  • CVE-2025-42944: Successful exploitation of the deserialisation vulnerability could allow an unauthenticated attacker to execute arbitrary code. This vulnerability has a Common Vulnerability Scoring System (CVSSv3.1) score of 10 out of 10.

  • CVE-2025-42922: Successful exploitation of the insecure file operations vulnerability could allow an attacker authenticated as a non-administrative user to upload an arbitrary file, potentially leading to a full system compromise. This vulnerability has a Common Vulnerability Scoring System (CVSSv3.1) score of 9.9 out of 10.

  • CVE-2025-42958: Successful exploitation of the missing authentication check vulnerability could allow an attacker with elevated privileges to read, modify, or delete sensitive information, as well as access administrative or privileged functionalities.

Affected Products

The vulnerabilities affect the following products:

For CVE-2025-42944: 

    - NetWeaver (RMI-P4) SERVERCORE 7.50

For CVE-2025-42922:

    - NetWeaver AS Java (Deploy Web Service) J2EE-APPS 7.50

For CVE-2025-42958:

    - NetWeaver versions KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, KERNEL 7.22, 7.54

Mitigation

Users and administrators of affected product versions are strongly advised to update to the latest versions immediately.

References

https://support.sap.com/en/my-support/knowledge-base/security-notes-news/bulletin-2025.html#:~:text=SAP%20Security%20Patch%20Day%20%2D%20September%202025

https://nvd.nist.gov/vuln/detail/CVE-2025-42944

https://nvd.nist.gov/vuln/detail/CVE-2025-42922

https://nvd.nist.gov/vuln/detail/CVE-2025-42958

https://thehackernews.com/2025/09/sap-patches-critical-netweaver-cvss-up.html

Back to top