Platform
sap
Component
sap-netweaver-application-server-for-abap-and-abap-platform
Opgelost in
64.0.1
7.22.1
64.0.1
7.53.1
7.22.1
7.54.1
7.77.1
7.89.1
7.93.1
7.97.1
9.12.1
9.13.1
9.14.1
CVE-2025-0070 is a critical vulnerability affecting SAP NetWeaver ABAP Server and ABAP Platform versions 7.22–KRNL64UC 7.22. An authenticated attacker can exploit improper authentication checks to gain illegitimate access and escalate privileges within the system. This poses a significant risk to the confidentiality, integrity, and availability of sensitive data and critical operations. The vulnerability is resolved in version 64.0.1.
Successful exploitation of CVE-2025-0070 allows an authenticated attacker to bypass authentication controls and elevate their privileges within the SAP NetWeaver environment. This can lead to unauthorized access to sensitive data, modification of critical system configurations, and potentially complete control over the affected system. Attackers could leverage this to steal intellectual property, disrupt business operations, or launch further attacks against other systems within the network. The impact is particularly severe given the widespread use of SAP NetWeaver in mission-critical business processes.
CVE-2025-0070 has been published and is considered a high-priority vulnerability. Public proof-of-concept exploits are not yet widely available, but the critical CVSS score suggests a high probability of exploitation. It is advisable to prioritize remediation efforts. The vulnerability was disclosed on 2025-01-14. Monitor security advisories and threat intelligence feeds for updates on exploitation activity.
Organizations heavily reliant on SAP NetWeaver for core business processes are particularly at risk. This includes industries such as manufacturing, finance, and healthcare. Systems running older, unsupported versions of SAP NetWeaver are also at increased risk due to the lack of security updates. Shared hosting environments utilizing SAP NetWeaver should be carefully assessed for potential cross-tenant vulnerabilities.
• java / server:
ps -ef | grep -i netweaver• java / server:
journalctl -u sapstartsrv | grep -i authentication• generic web:
curl -I <SAP_NetWeaver_URL>disclosure
Exploit Status
EPSS
0.16% (37% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-0070 is to upgrade to SAP NetWeaver ABAP Server and ABAP Platform version 64.0.1 or later. Prior to upgrading, it is crucial to review SAP's upgrade documentation and perform thorough testing in a non-production environment to avoid compatibility issues. If immediate upgrading is not feasible, consider implementing stricter authentication controls and limiting user privileges to the minimum necessary. Monitor SAP system logs for suspicious activity related to authentication failures or privilege escalation attempts. After upgrading, confirm the fix by attempting to reproduce the vulnerability using known exploitation techniques and verifying that authentication checks are functioning as expected.
Pas de beveiligingsupdate toe die door SAP wordt geleverd. Raadpleeg SAP nota 3537476 voor gedetailleerde instructies over hoe de update te installeren en de kwetsbaarheid te mitigeren.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-0070 is a critical vulnerability in SAP NetWeaver ABAP Server and ABAP Platform allowing authenticated attackers to escalate privileges, potentially gaining full control of the system.
If you are running SAP NetWeaver ABAP Server and ABAP Platform versions 7.22–KRNL64UC 7.22, you are potentially affected by this vulnerability. Check your version and upgrade accordingly.
Upgrade to SAP NetWeaver ABAP Server and ABAP Platform version 64.0.1 or later. Review SAP's upgrade documentation and test thoroughly before applying the update.
While public exploits are not widespread, the critical CVSS score indicates a high probability of exploitation. Monitor security advisories and threat intelligence feeds.
Refer to the official SAP Security Notes and Advisories on the SAP Support Portal for detailed information and remediation guidance.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.