SAP Patches Critical Flaws Allowing Full System Takeover

SAP has addressed two critical vulnerabilities in the NetWeaver Java application server that could allow attackers to execute arbitrary code and fully compromise affected systems. The security updates, released in September 2025, remediate CVE-2025-42922 and CVE-2025-42944.

The first flaw, CVE-2025-42922, lies within the file upload mechanism of the Deploy Web Service. An authenticated user with minimal privileges can upload arbitrary files, which under certain configurations may result in remote code execution.

The second flaw, CVE-2025-42944, is even more severe. Affecting the RMI-P4 module, it enables unauthenticated attackers to execute commands on the server simply by sending a specially crafted request to an exposed port.

Together, these vulnerabilities pose a grave risk of complete server takeover. Corporate data, critical processes, and infrastructure are all at stake, as attackers could deploy backdoors, exfiltrate information, and establish persistence within internal networks.

According to CyberOK, more than 140 active SAP NetWeaver instances were identified across the Russian internet, with approximately 10% potentially vulnerable to the reported flaws. Worryingly, a single server may suffer from both vulnerabilities simultaneously, amplifying the threat.

Security experts emphasize the importance of monitoring logs. Warning signs include unusual requests to the Deploy Web Service, abnormal RMI port connections, and spikes in errors, session resets, or traffic during non-working hours.

The exploitation potential of CVE-2025-42944 is particularly critical, as it requires no credentials and could therefore be leveraged in widespread, opportunistic attacks.

To safeguard infrastructure, administrators are urged to immediately apply the official security patches. Restricting external access to NetWeaver interfaces through IP filters, VPNs, or ACLs can further reduce exposure.

Additionally, system owners should review directories for suspicious uploaded files and audit service accounts — including password and key resets as well as privilege reviews.

Organizations running NetWeaver must recognize that delays in patch deployment dramatically increase the likelihood of compromise, especially given the surge in scanning activity across the internet for vulnerable instances.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy