1. Forum
  2. tqwNet
  3. TQW GENTECH

  • Watch out - this SAP NetWeaver bug has a maximum severity score,

    From TechnologyDaily@1337:1/100 to All on Wednesday, October 15, 2025 18:30:08
    Watch out - this SAP NetWeaver bug has a maximum severity score, and it could target your servers next

    Date:
    Wed, 15 Oct 2025 17:20:00 +0000

    Description:
    SAP released additional hardening after patching the bug last month.

    FULL STORY ======================================================================SAP patched CVE-2025-42944, a critical flaw allowing unauthenticated OS command execution Two more severe vulnerabilities affect SAP Print Service and Supplier Relationship Management modules Unpatched systems remain exposed; n-day flaws are widely exploited due to delayed patching

    Software giant SAP released additional security hardening for a maximum-severity vulnerability that grants threat actors arbitrary command execution capabilities on compromised endpoints.

    Earlier this week, the company published a new security advisory, detailing fixes for a total of 17 vulnerabilities (13 fixes and 4 updates), including a 10/10 insecure deserialization in SAP NetWeaver AS Java flaw. Tracked as CVE-2025-42944 , the flaw allowed threat actors to exploit systems through
    the RMI-P4 module by submitting malicious payloads to an open port.

    "The deserialization of such untrusted Java objects could lead to arbitrary
    OS command execution, posing a high impact to the application's confidentiality, integrity, and availability," NVD explained. SAP patched it as part of its September 2025 Security Patch Day. Abusing n-days

    The advisory details two additional critical-severity flaws, a directory traversal vulnerability in SAP Print Service, and an unrestricted file upload vulnerability in SAP Supplier Relationship Management.

    The former is tracked as CVE-2025-42937 and has a severity score of 9.8/10, while the latter is tracked as CVE-2025-42910, and has a severity score of 9.0/10.

    While none of these bugs were seen being abused in the wild by threat actors, SAP urges its users to apply the patches and mitigations as soon as possible, to minimize any potential risks.

    Exploits for zero-day flaws are arguably more successful compared to n-day ones, but n-day vulnerabilities are abused a lot more frequently. This is due to the fact that many organizations fail to patch their systems on time, leaving exposed instances connected to the wider internet for months on end.

    This, paired with widely available Proof-of-concept (PoC) exploits, often makes n-day flaws low-hanging fruit that is easy to exploit.

    SAP is the worlds largest ERP vendor, with products in use by more than 90%
    of the Forbes Global 2000 list, so cybercriminals will most likely scan for endpoints that havent applied the patch, looking for a way into the IT networks of some of the worlds most important brands.

    Via The Hacker News

    Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the
    Follow button!

    And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too. You might also like This critical security flaw is letting SAP users get around authentication Take a look at our guide to the best authenticator app We've rounded up the best password managers



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/watch-out-this-sap-netweaver-bug-has-a- maximum-severity-score-and-it-could-target-your-servers-next


    --- Mystic BBS v1.12 A49 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)