Karl.Fail

Tag: netweaver

  • CVE-2025-0070: Critical Improper Authentication in SAP NetWeaver ABAP Server

    Overview

    On January 14, 2025, SAP published a critical vulnerability identified as CVE-2025-0070 affecting the SAP NetWeaver Application Server for ABAP and ABAP Platform. The flaw is categorized under CWE-287: Improper Authentication and allows authenticated attackers to escalate privileges due to insufficient authentication enforcement.

    Vulnerability Details

    The vulnerability exists in the authentication logic of the ABAP platform. An attacker with valid user credentials can exploit improper authentication checks to gain unauthorized access to system functionality. This allows the attacker to escalate privileges and potentially control critical components of the affected SAP environment.

    Successful exploitation leads to a high impact on system confidentiality, integrity, and availability. Given the scope change and low complexity, this vulnerability presents a significant risk in enterprise SAP environments.

    Technical Breakdown

    This vulnerability is rated as Critical with a CVSS v3.1 base score of 9.9. The CVSS vector is:

    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

    Key attributes include:

    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
    • Confidentiality, Integrity, Availability Impact: High

    Impacted Versions

    The following SAP kernel versions are affected:

    • KRNL64NUC 7.22
    • 7.22EXT
    • KRNL64UC 7.22
    • 7.53, 7.54, 7.77, 7.89, 7.93, 7.97
    • 8.04, 9.12, 9.13, 9.14
    • KERNEL 7.22

    Understanding CWE-287

    CWE-287 highlights scenarios where systems fail to properly authenticate users or validate their permissions before granting access. In the context of SAP, such a flaw can be especially dangerous given the critical role these systems play in business operations.

    Recommendations

    • Apply the latest security patches provided in SAP Note 3537476.
    • Audit user roles and authentication configurations across all affected systems.
    • Limit access to exposed services and interfaces wherever possible.
    • Monitor logs for signs of unauthorized access or privilege escalation attempts.

    Conclusion

    CVE-2025-0070 represents a severe authentication failure in core SAP components. Due to the high potential impact and ease of exploitation, organizations should treat remediation as a priority and ensure all safeguards are in place to protect sensitive enterprise environments.

  • CVE-2025-42999: Insecure Deserialization in SAP NetWeaver Visual Composer

    Overview

    On May 13, 2025, SAP published a critical vulnerability identified as CVE-2025-42999 affecting the Visual Composer development server within SAP NetWeaver. The issue is classified under CWE-502: Deserialization of Untrusted Data, a well-known class of vulnerabilities that can allow attackers to compromise the confidentiality, integrity, and availability of a system.

    Vulnerability Details

    The vulnerability impacts the following product:

    • Product: SAP NetWeaver Visual Composer Metadata Uploader
    • Version Affected: VCFRAMEWORK 7.50

    The flaw occurs when a privileged user uploads malicious or untrusted metadata content to the server. When this content is deserialized, it can lead to the execution of arbitrary code or other serious consequences depending on the payload and environment. Although the attacker must already have high privileges, exploitation does not require any user interaction and can be performed over a network.

    Technical Analysis

    The vulnerability has a CVSS v3.1 base score of 9.1, indicating critical severity. The vector string is:

    CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

    Key metrics include:

    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: None
    • Scope: Changed
    • Confidentiality, Integrity, Availability Impact: High

    This means a high-privileged user can exploit the vulnerability remotely without triggering any user interaction, and the resulting impact may extend beyond the original component being attacked.

    Understanding CWE-502

    Deserialization of Untrusted Data occurs when an application processes serialized data from an untrusted source without adequate validation. In SAP NetWeaver’s case, improperly validated metadata may be deserialized and trigger arbitrary behavior. Such flaws can be difficult to detect and are often exploited in advanced attacks that aim to execute code or escalate privileges.

    Exploitation and Threat Landscape

    According to the CISA KEV catalog, this vulnerability is actively being exploited in the wild. It has also been highlighted in SAP’s official security notes. The Onapsis research team confirmed exploitation evidence and emphasized its criticality for SAP environments.

    Recommendations

    To mitigate this vulnerability, SAP recommends:

    • Applying patches or mitigations provided in the latest SAP Security Patch Day updates.
    • Restricting access to systems where deserialization may occur.
    • Implementing secure coding practices to avoid unsafe deserialization patterns.
    • Monitoring for unusual privileged user activity and uploads.

    Conclusion

    CVE-2025-42999 highlights the risks associated with deserialization vulnerabilities, especially in complex enterprise environments like SAP. Due to its high severity and active exploitation, organizations should prioritize patching and review their use of metadata handling and upload functions.