Critical Vulnerability Patched in SAP NetWeaver

Tracked as CVE-2025-42989 (CVSS score of 9.6), the critical bug is described as a missing authorization check in the NetWeaver application server for ABAP.

According to software security firm Onapsis, the issue resides in the Remote Function Call (RFC) framework and allows attackers to bypass authorization checks and elevate their privileges.

“Under certain conditions, authenticated attackers can bypass the standard authorization check on authorization object S_RFC when using transactional (tRFC) or queued RFCs (qRFC), leading to an escalation of privileges. This allows an attacker to critically impact the application’s integrity and availability,” Onapsis explains.

Organizations that apply SAP’s note may need to assign additional S_RFC permissions to some users, the security firm points out.

To read the complete article see: Full Article\n