Critical Vulnerabilities in SAP NetWeaver

12 September 2025

SAP has released security updates addressing critical vulnerabilities in SAP NetWeaver. Users and administrators of affected product versions are strongly advised to update to the latest versions immediately.

Background

SAP has released security updates addressing critical vulnerabilities (CVE-2025-42944, CVE-2025-42922, CVE-2025-42958) in SAP NetWeaver.

Impact

CVE-2025-42944: Successful exploitation of the deserialisation vulnerability could allow an unauthenticated attacker to execute arbitrary code. This vulnerability has a Common Vulnerability Scoring System (CVSSv3.1) score of 10 out of 10.
CVE-2025-42922: Successful exploitation of the insecure file operations vulnerability could allow an attacker authenticated as a non-administrative user to upload an arbitrary file, potentially leading to a full system compromise. This vulnerability has a Common Vulnerability Scoring System (CVSSv3.1) score of 9.9 out of 10.
CVE-2025-42958: Successful exploitation of the missing authentication check vulnerability could allow an attacker with elevated privileges to read, modify, or delete sensitive information, as well as access administrative or privileged functionalities.

Affected Products

The vulnerabilities affect the following products:

For CVE-2025-42944:

- NetWeaver (RMI-P4) SERVERCORE 7.50

For CVE-2025-42922:

- NetWeaver AS Java (Deploy Web Service) J2EE-APPS 7.50

For CVE-2025-42958:

- NetWeaver versions KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, KERNEL 7.22, 7.54

Mitigation

Users and administrators of affected product versions are strongly advised to update to the latest versions immediately.

References

https://support.sap.com/en/my-support/knowledge-base/security-notes-news/september-2025.html