SAP users are being urged to immediately patch multiple critical vulnerabilities, including one that is actively exploited, affecting S/4HANA and NetWeaver systems.
Quick Summary – TLDR:
- SAP fixed multiple severe bugs in S/4HANA and NetWeaver, some scoring up to CVSS 10.0
- One bug (CVE-2025-42957) is actively exploited in the wild and has no workaround
- Attackers can gain full control of SAP systems, steal data, deploy ransomware, or disrupt operations
- Enterprises must patch urgently, as many remain vulnerable due to complex system architectures
What Happened?
SAP has released patches for a series of critical vulnerabilities in its flagship platforms S/4HANA and NetWeaver, some of which could let attackers take full control of enterprise systems. At least one of these flaws is already being actively exploited, sparking urgent warnings from security experts.
🚨Alert🚨CVE-2025-42944(CVSS 10.0):Insecure Deserialization vulnerability in SAP
— Hunter (@HunterMapping) September 10, 2025
Netweaver
CVE-2025-42922 (CVSS 9.9):Insecure File Operations vulnerability in SAP
NetWeaver AS Java
CVE-2025-42958 (CVSS 9.1):Missing Authentication Check vulnerability in the SAP
NetWeaver… pic.twitter.com/LDvr3vFMjq
SAP Systems at Risk: S/4HANA and NetWeaver
One of the most serious flaws is CVE-2025-42957, a code injection vulnerability in SAP S/4HANA with a CVSS score of 9.9. The flaw allows a low-privilege user to inject arbitrary ABAP code and gain admin-level access. This opens the door to data theft, ransomware, backdoors, and complete system disruption.
Jonathan Stross, SAP security analyst at Pathlock, explained the gravity: “Because SAP S/4HANA is typically a central system of an organization’s financial, supply chain, and operational processes, its compromise can bring significant damage to an organization in literally any vertical.”
Critical SAP security updates you need to know – September Patch Tuesday!
— Pathlock (@pathlock) September 10, 2025
September’s SAP Patch Tuesday delivers critical updates you can’t afford to miss.
👉 Read the article here: https://t.co/BtI6Ps6NyN pic.twitter.com/N8mdcx2Xlw
Even more troubling, the Dutch National Cyber Security Center confirmed this flaw is already being exploited in the wild, though a public exploit has not yet surfaced.
Adding to the urgency, there are no workarounds. Organizations must apply SAP’s patch, which was released on August 12.
More Critical Bugs in SAP NetWeaver
SAP’s September security update also fixed three critical vulnerabilities in NetWeaver, the platform that powers key applications like ERP, CRM, and SCM.
Top vulnerabilities include:
- CVE-2025-42944 (CVSS 10.0): An unauthenticated attacker can exploit this deserialization flaw in NetWeaver ServerCore via the RMI-P4 protocol to execute arbitrary OS commands.
- CVE-2025-42922 (CVSS 9.9): A file operations bug in NetWeaver AS Java that lets attackers upload arbitrary files and potentially compromise the system.
- CVE-2025-42958 (CVSS 9.1): A missing authentication check that enables high-privileged users to read, modify, or delete sensitive data and gain access to admin features.
SAP also patched other high-severity bugs, including:
- CVE-2025-42916 (CVSS 8.1) in S/4HANA, which lets attackers delete database tables if proper authorization is not in place.
- CVE-2025-42933 and CVE-2025-42929, which involve insecure storage of credentials and input validation issues in Business One and SLT Replication Server.
Complex SAP Landscapes Slow Down Patching
Stross noted that many enterprises are struggling to patch quickly: “Unfortunately, we continue to see hundreds of organizations that remain unpatched. Applying a fix in an SAP landscape is not as simple as updating a single system.”
SAP environments often span multiple interconnected platforms, each deeply customized. This makes timely patching difficult and increases the risk of prolonged exposure to serious vulnerabilities.
Security Experts Recommend Immediate Action
While CVE-2025-42957 is already being exploited, there’s no evidence yet that the newer vulnerabilities are being used in active attacks. However, experts stress that companies should not wait for proof of exploitation before acting.
Onapsis, a security firm that closely tracks SAP flaws, recommends filtering access to the P4 port as a temporary workaround for CVE-2025-42944, but strongly advises installing the patch as the primary fix.
SQ Magazine Takeaway
This is exactly the kind of situation where waiting is not an option. SAP systems are the heart of many businesses. These are not just bugs. They are doors wide open to attackers who are already walking through one of them. If your organization runs S/4HANA or NetWeaver, stop everything and patch. I know patching SAP isn’t easy. It’s messy, interconnected, and a pain to test. But ignoring this risk is worse. Don’t let bureaucracy or complexity be the reason your data ends up on the dark web.
