A critical vulnerability, identified as CVE-2025-42922, has been discovered in SAP NetWeaver Application Server (AS) Java. This flaw allows a low-privileged authenticated user to upload a malicious file, which, when executed, can result in a complete compromise of the affected system. Successful exploitation could lead to total loss of data confidentiality, integrity, and availability of critical business systems.

The vulnerability exists within a service on the SAP NetWeaver AS Java platform that improperly validates file uploads. An attacker who has authenticated as a non-administrative user can exploit this weakness to upload an arbitrary file, such as a web shell or other malicious script, to a location on the server. By subsequently accessing and executing this file, the attacker can achieve remote code execution with the privileges of the SAP service, leading to a full compromise of the underlying server.

This vulnerability is rated as critical severity with a CVSS score of 9.9, reflecting the profound potential for damage. A successful attack could result in the complete loss of confidentiality, integrity, and availability of the SAP system and the data it processes. The consequences include theft of sensitive corporate data (e.g., financial records, customer PII, intellectual property), disruption of core business operations reliant on SAP, financial fraud, and reputational damage. The compromised system could also be used as a staging point to launch further attacks against the internal network.

Immediate Action: The primary remediation is to apply the security patches released by SAP as soon as possible. Organizations should follow their change management process to test and deploy the update for SAP NetWeaver AS Java to the latest version across all affected systems.

Proactive Monitoring: Security teams should actively monitor for signs of exploitation. This includes scrutinizing application and web server logs for suspicious file upload attempts (e.g., POST requests with unexpected file types like .jsp) and subsequent requests to execute those files. Monitor for anomalous outbound network connections or unexpected processes spawning from the SAP application service, as these could indicate a successful compromise.

Compensating Controls: If immediate patching is not feasible, consider implementing the following controls:

• Restrict network access to the affected SAP services to only trusted hosts and networks.
• Employ a Web Application Firewall (WAF) with rules specifically designed to inspect and block malicious or unexpected file uploads.
• Enforce the principle of least privilege for all user accounts, ensuring non-administrative users have the absolute minimum permissions required for their roles.
• Increase log verbosity and monitoring on affected systems to enhance detection capabilities.

Public Exploit Available: False

Given the critical severity (CVSS 9.9) of CVE-2025-42922, we strongly recommend that organizations treat this vulnerability as an immediate and significant threat. The risk of full system compromise from a low-privileged user necessitates urgent action. Although this CVE is not yet on the CISA KEV list, its impact warrants invoking emergency patching procedures. All organizations using the affected SAP products must prioritize the deployment of the vendor-supplied security updates to prevent potential compromise of their critical business infrastructure.