Vulnerability
sysops

A critical vulnerability CVE-2025-42922 has been discovered in SAP NetWeaver that allows an authenticated, low-privileged attacker to execute arbitrary code and achieve a full system compromise.

The flaw resides in the Deploy Web Service upload mechanism, where insufficient access control validation permits the upload and execution of malicious files.

This vulnerability poses a significant risk to organizations relying on affected SAP systems, as it can be exploited to gain complete control over the server.

SAP NetWeaver Vulnerability

According to Vahagn Vardanian, the root cause of the vulnerability is an insecure file upload function within the Deploy Web Service.

The service incorrectly accepts multipart/form-data requests without proper Role-Based Access Control (RBAC) enforcement or validation of the file type and content.

This oversight is due to incorrect authentication annotations and insufficient role checks in the application’s code.

SAP NetWeaver Vulnerability

Consequently, an attacker who has obtained any valid low-level user credentials can bypass security controls that should restrict file deployment capabilities to administrative users only, Vahagn Vardanian said.

The mechanism fails to verify if the authenticated user has the necessary permissions to perform such a sensitive operation, creating a direct path to code execution.

An attacker can exploit this vulnerability by first gaining access to a low-privileged user account.

Using these credentials, they can authenticate to the vulnerable Deploy Web Service and craft a multipart request containing a malicious file, such as a JavaServer Pages (JSP) script.

The application improperly accepts and uploads this file to a directory on the server where it can be executed.

The attacker then simply needs to trigger the execution of the uploaded file by accessing its URL. Successful exploitation results in arbitrary code execution with the privileges of the SAP service account.

This allows the threat actor to escalate privileges, move laterally across the network, exfiltrate sensitive data, or deploy further malware, leading to a complete server takeover.

Mitigations

To address this critical issue, organizations are strongly urged to apply the patches released in SAP Security Note 3643865 immediately.

Before patching, administrators should perform a dependency analysis as outlined in SAP Note 1974464. For systems that cannot be patched right away, SAP has provided a temporary workaround in KBA 3646072.

As a supplementary measure, access to the Deploy Web Service should be restricted to administrative users only.

Security teams should audit system logs for Indicators of Compromise (IOCs), such as HTTP POST requests to DeployWS endpoints from non-administrative accounts, multipart/form-data submissions containing executable file types (JSP, WAR, EAR), or deployment activities occurring at unusual hours.

A sample filter for logs or a Web Application Firewall (WAF) could be source.user != “admin” AND http.method == “POST” AND http.path CONTAINS “DeployWS”.

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.

Related Posts

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that it has observed threat actors leveraging unencrypted persistent cookies…

Application programming interfaces (APIs) are the connective tissue behind digital modernization, helping applications and databases exchange data more effectively. The…

The European Union has taken a significant leap forward in its digital security strategy with the official launch of the…