SAP Patchday: NetWeaver products are vulnerable to malware attacks
Attackers can attack SAP NetWeaver products and Business Objects, among others. Security updates are available for download.
(Image: Alfa Photo/Shutterstock.com)
On Patchday in July, SAP developers closed a total of five "critical" security vulnerabilities. In the worst case scenario, malicious code can compromise systems. So far, there are no indications that attackers are already exploiting the gaps.
Admins can find information on the available security updatesin the warning message for the current patchday.
Dangerous vulnerabilities
The critical vulnerabilities affect NetWeaver Enterprise Portal Administration (CVE-2025-42964), NetWeaver Enterprise Portal Federated Portal Network (CVE-2025-42980), S/4HANA and SCM (CVE-2025-42967) and NetWeaver Application Server for Java (CVE-2025-42963).
If an attacker has privileges at user level, they can execute malicious code in an unspecified way and thus gain full control over systems. In other cases, logged-in attackers can upload data prepared with malicious code to compromise computers.
Videos by heise
Further dangers
In the context of NetWeaver Application Server for ABAP, attackers who are already logged in can also gain higher user rights due to authentication errors (CVE-2025-42953).
Due to an error in the Apache Struts component, attackers can upload and execute malicious code on the Business Objects Business Intelligence platform (CVE-2025-53677 "high"). In Business Warehouse and Plug-in Basis, authenticated attackers can manipulate database tables and thus render the system unusable (CVE-2025-42952 "high").
The majority of the remaining vulnerabilities are classified as "medium". Among other things, XSS attacks are conceivable at these points.
SAP also closed critical gaps in NetWeaver on the last patch day.
(des)
