CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Critical vulnerabilities in SAP NetWeaver and related products addressed

First reported
Last updated
3 unique sources, 5 articles

Summary

Hide ▲

SAP has released security updates addressing multiple vulnerabilities, including three critical flaws in NetWeaver and a high-severity issue in S/4HANA. The most severe, CVE-2025-42944, allows unauthenticated attackers to execute arbitrary OS commands via an insecure deserialization vulnerability in the RMI-P4 module. The second critical flaw, CVE-2025-42922, enables authenticated attackers to upload arbitrary files, potentially leading to full system compromise. The third critical vulnerability, CVE-2025-42958, allows unauthorized high-privileged users to access sensitive data and administrative functions. Additionally, a high-severity missing input validation bug in SAP S/4HANA (CVE-2025-42916) was patched, which could permit attackers to delete the content of arbitrary database tables. In the November 2025 security updates, SAP addressed a maximum severity flaw in the non-GUI variant of the SQL Anywhere Monitor (CVE-2025-42890) and a critical code injection issue in the Solution Manager platform (CVE-2025-42887). The SQL Anywhere Monitor flaw involves hardcoded credentials that could allow attackers to access administrative functions and execute arbitrary code. The Solution Manager flaw allows authenticated attackers to insert malicious code, potentially leading to full system control. SAP also released fixes for one high-severity flaw (CVE-2025-42940) and 14 other medium-severity vulnerabilities. These vulnerabilities affect SAP NetWeaver, the foundation for various business applications like ERP, CRM, SRM, and SCM, widely deployed in large enterprise networks. The RMI-P4 port, used for internal SAP-to-SAP communication, may be exposed to wider networks due to misconfigurations. SAP products are frequent targets for high-value compromises due to their handling of mission-critical data. Earlier this month, a critical code injection vulnerability (CVE-2025-42957) was exploited in S/4HANA, Business One, and NetWeaver products. SAP has also updated security notes for other high-severity vulnerabilities in Business One, Landscape Transformation Replication Server, and S/4HANA.

Timeline

  1. 11.11.2025 17:38 1 articles · 23h ago

    SAP fixes hardcoded credentials flaw in SQL Anywhere Monitor

    SAP's November 2025 security updates address a maximum severity flaw in the non-GUI variant of the SQL Anywhere Monitor (CVE-2025-42890) involving hardcoded credentials. Exploitation of this flaw could allow attackers to access administrative functions and execute arbitrary code. The SQL Anywhere Monitor is a database monitoring and alert tool, typically used by organizations managing distributed or remote databases. The non-GUI monitor component is typically deployed on unattended appliances where it runs without frequent human oversight.

    Show sources
    Open in new tab
  2. 11.11.2025 17:38 1 articles · 23h ago

    SAP addresses critical code injection issue in Solution Manager

    The November 2025 security updates also address a critical code injection issue in SAP Solution Manager (CVE-2025-42887). This flaw, with a CVSS score of 9.9, allows authenticated attackers to insert malicious code when calling a remote-enabled function module, potentially leading to full system control. SAP Solution Manager is a centralized management and monitoring platform for SAP environments, typically used by large enterprises that operate complex networks encompassing ERP, CRM, and analytics solutions.

    Show sources
    Open in new tab
  3. 15.10.2025 08:36 1 articles · 28d ago

    SAP releases additional security fixes for 13 new vulnerabilities

    SAP has rolled out security fixes for 13 new security issues, including hardening for a maximum-severity bug in SAP NetWeaver AS Java (CVE-2025-42944). The latest fix includes a JVM-wide filter to prevent dedicated classes from being deserialized. Two new critical vulnerabilities have been identified: CVE-2025-42937, a directory traversal flaw in SAP Print Service, and CVE-2025-42910, an unrestricted file upload bug in SAP Supplier Relationship Management.

    Show sources
    Open in new tab
  4. 10.09.2025 04:03 1 articles · 2mo ago

    SAP releases patch for high-severity S/4HANA input validation flaw

    The article details a high-severity missing input validation bug in SAP S/4HANA (CVE-2025-42916) with a CVSS score of 8.1. This vulnerability could allow an attacker with high privilege access to ABAP reports to delete the content of arbitrary database tables. The article underscores the urgency of applying the patch to prevent potential exploitation.

    Show sources
    Open in new tab
  5. 09.09.2025 16:18 5 articles · 2mo ago

    SAP addresses critical vulnerabilities in NetWeaver and related products

    Additional details on the impact of the three critical vulnerabilities in SAP NetWeaver have been provided. The article confirms the insecure deserialization vulnerability (CVE-2025-42944) in the RMI-P4 module, which allows unauthenticated attackers to execute arbitrary OS commands. The latest fix includes a JVM-wide filter to prevent dedicated classes from being deserialized. Two new critical vulnerabilities have been identified: CVE-2025-42937, a directory traversal flaw in SAP Print Service, and CVE-2025-42910, an unrestricted file upload bug in SAP Supplier Relationship Management. SAP has also released further updates for CVE-2025-42944, a critical flaw in NetWeaver initially addressed last month.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Critical WSUS RCE Vulnerability Exploited in the Wild

A critical remote code execution (RCE) vulnerability (CVE-2025-59287) in Windows Server Update Service (WSUS) is being actively exploited in the wild. The flaw allows attackers to run malicious code with SYSTEM privileges on Windows servers with the WSUS Server role enabled. Microsoft has released out-of-band patches for all affected Windows Server versions. Cybersecurity firms have observed exploitation attempts and the presence of publicly available proof-of-concept exploit code. The vulnerability is considered potentially wormable between WSUS servers and poses a significant risk to organizations. The flaw concerns a case of deserialization of untrusted data in WSUS. The vulnerability was discovered and reported by security researchers MEOW, f7d8c52bec79e42795cf15888b85cbad, and Markus Wulftange with CODE WHITE GmbH. CISA and NSA, along with international partners, have issued guidance to secure Microsoft Exchange Server instances, including recommendations to restrict administrative access, implement multi-factor authentication, and enforce strict transport security configurations. The agencies advise decommissioning end-of-life on-premises or hybrid Exchange servers after transitioning to Microsoft 365. Sophos reported threat actors exploiting the vulnerability to harvest sensitive data from U.S. organizations across various industries, with at least 50 victims identified. The exploitation activity was first detected on October 24, 2025, a day after Microsoft issued the update. Attackers use Base64-encoded PowerShell commands to exfiltrate data to a webhook[.]site endpoint. Michael Haag of Splunk noted an alternate attack chain involving the Microsoft Management Console binary (mmc.exe) to trigger cmd.exe execution.

Open in new tab

Active Exploitation of Multiple Critical Vulnerabilities in Gladinet and TrioFox

Active exploitation of critical vulnerabilities in Gladinet's CentreStack and TrioFox products continues. The zero-day vulnerability, CVE-2025-11371, is an unauthenticated local file inclusion bug that allows unintended disclosure of system files. This flaw affects all versions prior to and including 16.7.10368.56560. The vulnerability has been exploited to retrieve the machine key from the application Web.config file, enabling remote code execution via a ViewState deserialization vulnerability. Three customers have been impacted so far. A patch for the zero-day vulnerability CVE-2025-11371 is now available in CentreStack version 16.10.10408.56683. Users are advised to upgrade to this version or, if upgrading is not possible, disable the "temp" handler within the Web.config file for UploadDownloadProxy to mitigate the risk. The vendor, Gladinet, has been notified and is working on a fix. The vulnerability was detected by researchers at Huntress on September 27, 2025. The flaw was exploited to obtain a machine key and execute code remotely. The attack used an older deserialization vulnerability (CVE-2025-30406) to achieve remote code execution (RCE) through ViewState. The mitigations will impact some functionality of the platform but prevent exploitation of CVE-2025-11371. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-11371 to its Known Exploited Vulnerabilities (KEV) catalog on November 5, 2025, citing evidence of active exploitation. Federal Civilian Executive Branch (FCEB) agencies are required to apply the necessary fixes by November 25, 2025, to secure their networks. Additionally, a new critical vulnerability, CVE-2025-12480 (CVSS score: 9.8), has been discovered in Gladinet's Triofox file-sharing and remote access platform. This flaw allows attackers to bypass authentication and access configuration pages, resulting in the upload and execution of arbitrary payloads. The threat cluster tracked as UNC6485 has been exploiting this flaw since August 24, 2025. The attackers have used the built-in antivirus feature to execute malicious files and set up encrypted tunnels to command-and-control servers, leveraging remote access tools like Zoho Assist and AnyDesk for further exploitation. The vulnerability CVE-2025-12480 was discovered and reported by Mandiant on November 10. The flaw allows an attacker to gain access to initial setup pages even after setup is complete, enabling the upload and execution of arbitrary payloads. The exploitation campaign started on August 14, 2025. The attackers exploited an HTTP Host header vulnerability by spoofing localhost in requests, bypassing access controls to reach the normally restricted AdminDatabase.aspx setup page. The flaw stemmed from missing origin validation and over-reliance on the host header, allowing unauthenticated remote access to critical configuration pages. The attackers logged in using the newly created Admin account and uploaded malicious files to execute them using the built-in anti-virus feature.

Open in new tab

UNC5174 Exploits VMware Zero-Day Privilege Escalation Since October 2024

A China-linked threat actor, UNC5174, has been exploiting a zero-day privilege escalation vulnerability in VMware products since mid-October 2024. The flaw, CVE-2025-41244, affects multiple VMware products and allows local attackers to escalate privileges to root on affected virtual machines. The vulnerability was discovered in May 2025 and patched in VMware Tools 12.4.9 and later versions. The flaw is rooted in the get_version() function, which can be exploited by placing a malicious binary in a writable directory. UNC5174 has been observed using this method to gain elevated access and execute code on compromised systems. The exact payload and nature of the attacks remain unclear. Broadcom has confirmed the patch for the vulnerability in VMware Aria Operations and VMware Tools. NVISO released a proof-of-concept exploit demonstrating privilege escalation on vulnerable VMware software. UNC5174 has been linked to previous attacks on U.S. defense contractors, UK government entities, Asian institutions, and the cybersecurity firm SentinelOne, exploiting vulnerabilities such as F5 BIG-IP CVE-2023-46747 and ConnectWise ScreenConnect flaw. The exploitation of CVE-2025-41244 is considered trivial, potentially benefiting multiple malware strains. NVISO identified the vulnerability in mid-May 2025 during an incident response engagement with UNC5174. Broadcom disclosed three vulnerabilities on September 29, 2025, including CVE-2025-41244. The CVSS severity rating for CVE-2025-41244 is 7.8, classified as high. On October 31, 2025, CISA added CVE-2025-41244 to its Known Exploited Vulnerabilities catalog. FCEB agencies have until November 20, 2025, to patch their systems. CISA urged all organizations to prioritize patching this vulnerability.

Open in new tab

ForcedLeak Vulnerability in Salesforce Agentforce Exploited via AI Prompt Injection

A critical vulnerability in Salesforce Agentforce, named ForcedLeak, allowed attackers to exfiltrate sensitive CRM data through indirect prompt injection. The flaw affected organizations using Salesforce Agentforce with Web-to-Lead functionality enabled. The vulnerability was discovered and reported by Noma Security on July 28, 2025. Salesforce has since patched the issue and implemented additional security measures, including regaining control of an expired domain and preventing AI agent output from being sent to untrusted domains. The exploit involved manipulating the Description field in Web-to-Lead forms to execute malicious instructions, leading to data leakage. Salesforce has enforced a Trusted URL allowlist to mitigate the risk of similar attacks in the future. The ForcedLeak vulnerability is a critical vulnerability chain with a CVSS score of 9.4, described as a cross-site scripting (XSS) play for the AI era. The exploit involves embedding a malicious prompt in a Web-to-Lead form, which the AI agent processes, leading to data leakage. The attack could potentially lead to the exfiltration of internal communications, business strategy insights, and detailed customer information. Salesforce is addressing the root cause of the vulnerability by implementing more robust layers of defense for their models and agents.

Open in new tab

CISA Emergency Directive 25-03: Mitigation of Cisco ASA Zero-Day Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-03 in September 2025, mandating federal agencies to mitigate zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) and Firewall Threat Defense (FTD) devices exploited by the state-sponsored ArcaneDoor campaign. The directive required agencies to account for all affected devices, collect forensic data, and upgrade or disconnect end-of-support devices by September 26, 2025. The vulnerabilities (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363, and CVE-2025-20352) enabled unauthenticated remote code execution, unauthorized access, and denial-of-service (DoS) attacks, with exploitation linked to the ArcaneDoor group. New developments reveal that the same or related threat actors also exploited **CVE-2025-5777 (Citrix Bleed 2)** in NetScaler ADC and Gateway and **CVE-2025-20337** in Cisco Identity Service Engine (ISE) as zero-days prior to public disclosure. Amazon’s threat intelligence team detected these attacks via their MadPot honeypot service, identifying a custom web shell ('IdentityAuditAction') deployed on compromised Cisco ISE devices. The web shell used advanced evasion techniques, including DES encryption and Java reflection, to maintain persistence and avoid detection. While the tactics suggest a highly resourced actor, the indiscriminate targeting deviates from typical APT behavior. Earlier phases of the campaign involved the ArcaneDoor group exploiting ASA and FTD zero-days to deploy malware like RayInitiator and LINE VIPER, manipulate ROM for persistence, and force devices into reboot loops. Nearly 50,000 vulnerable ASA and FTD appliances were identified globally, with CISA and allied cybersecurity agencies urging immediate patching and mitigation. The latest findings expand the scope of the threat actor’s operations beyond Cisco ASA/FTD devices to include Cisco ISE and Citrix infrastructure, underscoring the group’s broad and evolving attack surface. Amazon’s latest report confirms the threat actor’s use of **custom-built malware** targeting Cisco ISE environments, employing advanced techniques such as in-memory operation, Tomcat thread injection, and non-standard encryption. The campaign’s indiscriminate nature, combined with the exploitation of multiple zero-days, suggests a highly capable adversary with access to sophisticated tools and potentially non-public vulnerability intelligence.

Open in new tab