Post

Critical SAP NetWeaver Flaw Patched in June 2025 Security Update

Posted
By Vitus White
2 min read
Critical SAP NetWeaver Flaw Patched in June 2025 Security Update

TL;DR

SAP’s June 2025 Security Patch addressed a critical vulnerability (CVE-2025-42989) in NetWeaver, which could allow attackers to bypass authorization and escalate privileges. The patch also fixed several other high and medium-severity issues.

Main Content

SAP Patches Critical NetWeaver Vulnerability

In the June 2025 Security Patch, SAP addressed a critical flaw in NetWeaver, tracked as CVE-2025-42989 with a CVSS score of 9.6. This vulnerability allows threat actors to bypass authorization checks and escalate their privileges, posing a significant risk to application integrity and availability.

"RFC inbound processing does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges," reads the advisory. "On successful exploitation the attacker could critically impact both integrity and availability of the application."

The flaw resides in SAP’s Remote Function Call (RFC) framework, allowing authenticated attackers to bypass key checks and escalate privileges, thereby risking the integrity and availability of the application.

"SAP Security Note #3600840, tagged with a CVSS score of 9.6, patches a critical Missing Authorization Check vulnerability in the Remote Function Call (RFC) framework of SAP NetWeaver Application Server AS ABAP," report published by security firm Onapsis.

Additional Vulnerabilities Addressed

The June 2025 Security Patch Day addressed a total of five high-severity flaws:

  • CVE-2025-42982 (CVSS score of 8.8) – Information Disclosure in SAP GRC (AC Plugin)
  • CVE-2025-42983 (CVSS score of 8.5) – Missing Authorization check in SAP Business Warehouse and SAP Plug-In Basis
  • CVE-2025-23192 (CVSS score of 8.2) – Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence (BI Workspace)
  • CVE-2025-42977 (CVSS score of 7.6) – Directory Traversal vulnerability in SAP NetWeaver Visual Composer
  • CVE-2025-42994 (CVSS score of 7.5) – Multiple vulnerabilities in SAP MDM Server

Additionally, SAP fixed six medium-severity issues and two low-severity bugs. The advisory published by SAP does not mention any attacks exploiting these vulnerabilities.

Conclusion

SAP’s proactive approach in addressing these vulnerabilities underscores the importance of regular security updates. Users are advised to apply the patches promptly to mitigate potential risks.

For further insights, check:

Follow me on Twitter: @securityaffairs, Facebook, and Mastodon

Pierluigi Paganini: LinkedIn

For more details, visit the full article: source

References

Cybersecurity & Data Protection, Vulnerabilities
cybersecurity sap netweaver
This post is licensed under CC BY 4.0 by the author.