Date Posted: 2025/07/11
【Vulnerability Alert】SAP Releases Major Security Announcements for Multiple Products
- Subject: 【Vulnerability Alert】SAP Releases Major Security Announcements for Multiple Products
- Content Description:
- Forwarded from Taiwan Computer Emergency Response Team/Coordination Center TWCERTCC-200-202507-00000006
- 【CVE-2025-42967, CVSS: 9.9】 This vulnerability exists in SAP S/4HANA and SAP SCM Characteristic Propagation, allowing attackers with user privileges to exploit code to create documents, potentially gaining full control of the affected SAP system.
- 【CVE-2025-42980, CVSS: 9.1】 This vulnerability exists in SAP NetWeaver Enterprise Portal Federated Portal Network, allowing privileged users to upload untrusted or malicious content which, when deserialized, can lead to compromise of the host system.
- 【CVE-2025-42964, CVSS: 9.1】 This vulnerability exists in SAP NetWeaver Enterprise Portal Administration, allowing privileged users to upload untrusted or malicious content which, when deserialized, can lead to compromise of the host system.
- 【CVE-2025-42966, CVSS: 9.1】 SAP NetWeaver XML Data Archiving service has a Java deserialization vulnerability, allowing authenticated attackers with administrator privileges to affect the confidentiality, integrity, and availability of the application by exploiting specially crafted serialized Java objects.
- 【CVE-2025-42963, CVSS: 9.1】 SAP NetWeaver Application server's Java Log has a Java deserialization vulnerability, allowing authenticated attackers with administrator privileges to gain full control of the affected system, severely impacting the confidentiality, integrity, and availability of the application and host environment.
- Affected Platforms:
- SCMAPO 713, 714
- S4CORE 102, 103, 104
- S4COREOP 105, 106, 107, 108
- SCM 700, 701, 702, 712
- EP-RUNTIME 7.50
- J2EE-APPS 7.50
- LMNWABASICAPPS 7.50
- Suggested Measures:
- Please apply patches according to the solutions released on the official website: https://support.sap.com/en/my-support/knowledge-base/security-notes-news/july-2025.html
- References:
Computer and Communications Center
Network Systems Division Respectfully
