Particle.news
Download on the App Store
4 ARTICLES
·
4d ago

SAP Releases September Patches for Critical NetWeaver Bugs Including 10.0 RCE

Researchers urge rapid patching to reduce the risk of full compromise.

Image

Overview

  • The release delivers 21 new security notes and four updates, including multiple HotNews advisories for NetWeaver.
  • CVE-2025-42944 carries a CVSS 10.0 score for an insecure deserialization flaw in RMI‑P4 that enables unauthenticated OS command execution via a malicious Java object sent to an open P4 port.
  • CVE-2025-42922 affects NetWeaver AS Java Deploy Web Service and lets authenticated non‑admin users upload arbitrary files that can lead to full system compromise.
  • CVE-2025-42958 addresses a missing authentication check that could allow unauthorized high‑privileged users to access and modify sensitive data and administrative functions.
  • Onapsis and SecurityBridge issued technical assessments and mitigation guidance, including ICM‑level P4 port filtering, and reporting to date has not confirmed in‑the‑wild exploitation of these newly patched issues.