Users of SAP’s S/4HANA and Netweaver products are at risk and should patch as soon as possible.
SAP has announced a series of new security flaws in its business software, including a vulnerability with the maximum score of 10. The flaw is located in NetWeaver, the technical foundation of many SAP applications. Through an open port, attackers can execute malicious commands without logging in, Ars Technica reports.
NetWeaver under Fire
It concerns a deserialization issue (CVE-2025-42944), allowing malicious actors to use commands that are then executed by the system. In addition to this flaw, SAP reported three other serious NetWeaver vulnerabilities, with scores of 9.9, 9.6, and 9.1.
Security firm SecurityBridge reported that another serious SAP flaw, CVE-2025-42957 in the S/4HANA suite, was already being actively exploited. This flaw, with a score of 9.9, allows attackers with user rights to take over an entire system. According to SecurityBridge, this could lead to fraud, data theft, espionage, or even ransomware.
Risk for Businesses
SAP emphasizes that the S/4HANA vulnerability serves as a backdoor, jeopardizing the confidentiality, integrity, and availability of critical business processes. A simple phishing attack to obtain minimal rights may be sufficient to gain full control over the SAP environment.
Other vulnerabilities affect SAP Business One, Commerce Cloud, Datahub, HCM, and BusinessObjects, with severity scores between 3.1 and 8.8. SAP advises customers to install the patches as soon as possible. Delay increases the risk of active attacks.