As hackers exploit a high-severity vulnerability in SAP’s flagship Enterprise Resource Planning software product, the software maker is warning users of more than two dozen newly detected vulnerabilities in its other widely used products, including a security flaw with a maximum-severity rating of 10.
SAP on Tuesday said the highest-severity vulnerability—with a rating of 10 out of a possible 10—was found in NetWeaver, a platform that serves as the technical foundation for many of the company’s other enterprise applications. The vulnerability, tracked as CVE-2025-42944, makes it possible for unauthenticated attackers to execute commands by submitting malicious payloads to an open port.
The maximum-severity threat stems from a deserialization vulnerability. Serialization is a coding process that translates data structures and object states into formats that can be stored or transmitted and then reconstructed later. Deserialization is the process in reverse.
In Tuesday’s disclosure, SAP revealed three other high-severity NetWeaver vulnerabilities, with ratings of 9.9, 9.6, and 9.1.
Word of the newly documented vulnerabilities comes five days after security firm SecurityBridge reported that a separate high-severity vulnerability SAP patched last month was under active exploitation in the wild. That vulnerability, tracked as CVE-2025-42957 and carrying a severity rating of 9.9, resides in the SAP S/4HANA an ERP (Enterprise Resource Planning) software suite developed for managing large organizations’ complex business processes, including those for finance, accounting, and HR.
SecurityBridge warned that CVE-2025-42957 allowed hackers with minimal system rights to mount “a complete system compromise with minimal effort required, where successful exploitation can easily lead to fraud, data theft, espionage, or the installation of ransomware.”
The security firm went on to write:
The attacker needs only low-level credentials on the SAP system (any valid user account with permissions to call the vulnerable RFC module and the specific S_DMIS authorization with activity 02), and no user interaction is required.
The attack complexity is low and can be performed over the network, which is why the CVSS score is so high (9.9). In summary, a malicious insider or a threat actor who has gained basic user access (through phishing, for example) could leverage this flaw to escalate into full control of the SAP environment.
SAP, for its part, warned: “This flaw operates as a backdoor, allowing unauthorized access to SAP systems and jeopardizing confidentiality, integrity, and availability. Without immediate mitigation, your SAP S/4HANA system could be severely compromised.” The post makes no mention of active exploitation.
Other vulnerabilities SAP reported Tuesday affected a range of products, including SAP Business One, SAP Landscape Transformation Replication Server, SAP Commerce Cloud, SAP Datahub, SAP Business Planning and Consolidation, SAP HCM, SAP BusinessObjects Business Intelligence Platform, SAP Supplier Relationship Management, and Fiori. Severity ratings of those vulnerabilities range from 3.1 to 8.8.
All vulnerabilities mentioned in this post, particularly those with high severity ratings, should be patched as soon as possible. SAP has more information on its security page.
We Build LEGO Batman: Arkham Asylum, a Revolving Door of Villainy