Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
WARNING: MULTIPLE CRITICAL AND HIGH-SEVERITY VULNERABILITIES IN SAP NETWEAVER AND SAP BUSINESS ONE. CAN BE EXPLOITED TO EXECUTE CODE AND MODIFY FILES REMOTELY. PATCH ASAP!
Image
Published : 10/09/2025
Last update: 10/09/2025
Affected products:
- SAP NetWeaver (RMI-P4)
- SAP NetWeaver AS Java
- SAP NetWeaver AS for ABAP and ABAP Platform
- SAP Business One (SLD)
- SAP Landscape Transformation Replication Server
- SAP S/4HANA
Type:
- Insecure Deserialisation, Insecure File Operations, Missing Authentication check
CVE/CVSS:
- CVE-2025-42944 CVSS:10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
- CVE-2025-42922 CVSS 9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
- CVE-2025-42958 CVSS 9.1 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
- CVE-2025-42933 CVSS 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
- CVE-2025-42929 CVSS8.1 (CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H)
- CVE-2025-42916 CVSS 8.1 (CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H)
- CVE-2025-27428 CVSS 7.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)
Sources
SAP - https://support.sap.com/en/my-support/knowledge-base/security-notes-news/september-2025.html
Risks
SAP published an advisory about multiple vulnerabilities. The CCB highlights the most interesting vulnerabilities for publication in this report.
The selected vulnerabilities allow an unauthenticated attacker to remotely execute arbitrary code, gaining control over the affected NetWeaver instance. Attackers can read, modify, and delete files, execute commands, and use the instance to move laterally within the network. There is a high impact on confidentiality, availability and integrity. Users with low or insufficient privileges are also able to read, alter and delete files they shouldn’t have access to.
In the SAP Business One native client, a vulnerability exists that can leak sensitive credentials during login, resulting in a high impact on confidentiality, availability, and integrity.
Description
CVE-2025-42944
In SAP NetWeaver’s RMI-PI4 module, an insecure deserialisation of untrusted Java objects exists. When an unauthenticated attacker sends a malicious payload to an open port, they can execute arbitrary OS commands.
CVE-2025-42922
This vulnerability in SAP NetWeaver AS Java allows a non-administrative user to upload arbitrary files with execution privileges. CVE-2025-42922 allows the authenticated attacker to execute code and escalate privileges.
CVE-2025-42958
In SAP NetWeaver running on IBM I-series systems, high-privileged users can read, modify, and delete files they are not authorised to access, which can compromise administrative and privileged functionalities.
CVE-2025-42933
When logging in to SAP Business One with the native client, credentials are not adequately encrypted, exposing sensitive information in the HTTP response body.
CVE-2025-42929 & CVE-2025-42916
This vulnerability in SAP Landscape Transformation Replication Server allows an actor to clear database tables that are not protected via an authorisation group.
CVE-2025-27428
This directory traversal vulnerability, shared by SAP NetWeaver and ABAP Platform, allows an authorised attacker to read files from any managed system connected to SAP Solution Manager.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.