Critical SAP NetWeaver Vulnerabilities Let Attacker Gain Access to the system
SAP has disclosed two critical vulnerabilities in its NetWeaver Application Server for ABAP and ABAP Platform, urging immediate action to mitigate potential security risks. The vulnerabilities tracked as CVE-2025-0070 and CVE-2025-0066, both carry a CVSS v3.1 base score of 9.9, reflecting their critical severity. CVE-2025-0070: Improper Authentication CVE-2025-0070 is classified as an improper authentication vulnerability […] The post Critical SAP NetWeaver Vulnerabilities Let Attacker Gain Access to the system appeared first on Cyber Security News.
SAP has disclosed two critical vulnerabilities in its NetWeaver Application Server for ABAP and ABAP Platform, urging immediate action to mitigate potential security risks.
The vulnerabilities tracked as CVE-2025-0070 and CVE-2025-0066, both carry a CVSS v3.1 base score of 9.9, reflecting their critical severity.
CVE-2025-0070: Improper Authentication
CVE-2025-0070 is classified as an improper authentication vulnerability (CWE-287). It allows an authenticated attacker to exploit weaknesses in authentication checks within SAP NetWeaver Application Server for ABAP and ABAP Platform.
Successful exploitation can result in privilege escalation, enabling attackers to gain unauthorized access to sensitive data, manipulate configurations, and disrupt system operations.
The vulnerability impacts multiple versions of SAP NetWeaver, including KRNL64NUC 7.22, 7.53, 8.04, and others up to version 9.14. The attack vector is network-based with low attack complexity, requiring minimal privileges and no user interaction. This makes it relatively easy for attackers to exploit.
SAP has not yet released a patch for this vulnerability but recommends implementing strong access controls, monitoring authentication attempts, applying the principle of least privilege, and using network segmentation to isolate critical systems.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
CVE-2025-0066: Weak Access Controls
CVE-2025-0066 stems from weak access controls in the Internet Communication Framework of SAP NetWeaver AS for ABAP and ABAP Platform (CWE-732).
Under specific conditions, this flaw allows attackers to access restricted information, potentially compromising the confidentiality, integrity, and availability of affected applications.
The vulnerability affects versions ranging from SAP_BASIS 700 to SAP_BASIS 914. Like CVE-2025-0070, this issue is exploitable via a network-based attack with low complexity and minimal privileges required. Exploitation could lead to unauthorized data access, data manipulation, or service disruption.
Mitigation measures include reviewing existing permissions, enforcing strong access controls, auditing sensitive resource access logs, and ensuring systems are updated with the latest security configurations.
SAP disclosed these vulnerabilities as part of its January 2025 Security Patch Day. While patches for these specific issues have not been confirmed as of now, the company has urged customers to prioritize securing their systems by applying available updates and following recommended best practices.
These vulnerabilities underscore the importance of proactive security measures in enterprise environments. Organizations using SAP NetWeaver are advised to act swiftly to minimize risks associated with these critical flaws.
For further details on mitigating these vulnerabilities or accessing updates as they become available, SAP customers are encouraged to consult the official SAP Support Portal.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
The post Critical SAP NetWeaver Vulnerabilities Let Attacker Gain Access to the system appeared first on Cyber Security News.
