Bert Ransomware Strikes Worldwide Using Multiple Variants – Active IOCs
July 8, 2025Bert Ransomware Strikes Worldwide Using Multiple Variants – Active IOCs
July 8, 2025Severity
High
Analysis Summary
CVE-2025-42980 CVSS:9.1
SAP NetWeaver Enterprise Portal Federated Portal Network is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.
CVE-2025-42967 CVSS:9.1
SAP S/4HANA and SAP SCM Characteristic Propagation has remote code execution vulnerability. This allows an attacker with high privileges to create a new report with his own code potentially gaining full control of the affected SAP system causing high impact on confidentiality, integrity, and availability of the application.
CVE-2025-42966 CVSS:9.1
SAP NetWeaver XML Data Archiving Service allows an authenticated attacker with administrative privileges to exploit an insecure Java deserialization vulnerability by sending a specially crafted serialized Java object. This could lead to high impact on confidentiality, integrity, and availability of the application.
CVE-2025-42963 CVSS:9.1
A critical vulnerability in SAP NetWeaver Application server for Java Log Viewer enables authenticated administrator users to exploit unsafe Java object deserialization. Successful exploitation can lead to full operating system compromise, granting attackers complete control over the affected system. This results in a severe impact on the confidentiality, integrity, and availability of the application and host environment
CVE-2025-42964 CVSS:9.1
SAP NetWeaver Enterprise Portal Administration is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.
CVE-2025-42959 CVSS:8.1
An unauthenticated attacker may exploit a scenario where a Hashed Message Authentication Code (HMAC) credential, extracted from a system missing specific security patches, is reused in a replay attack against a different system. Even if the target system is fully patched, successful exploitation could result in complete system compromise, affecting confidentiality, integrity, and availability.
CVE-2025-42953 CVSS:8.1
SAP Netweaver System Configuration does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This could completely compromise the integrity and availability with no impact on confidentiality of the system.
CVE-2025-42952 CVSS:7.7
SAP Business Warehouse and SAP Plug-In Basis allows an authenticated attacker to add fields to arbitrary SAP database tables and/or structures, potentially rendering the system unusable. On successful exploitation, an attacker can render the system unusable by triggering short dumps on login. This could cause a high impact on availability. Data confidentiality and integrity are not affected. No data can be read, changed or deleted.
Impact
- Code Execution
- Privilege Escalation
- Gain Access
Indicators of Compromise
CVE
- CVE-2025-42980
- CVE-2025-42967
- CVE-2025-42966
- CVE-2025-42963
- CVE-2025-42964
- CVE-2025-42959
- CVE-2025-42953
- CVE-2025-42952
Affected Vendors
Affected Products
- SAP S/4HANA
- SAP SCM
- SAP NetWeaver XML Data Archiving Service
- SAP NetWeaver Enterprise Portal
- SAP NetWeaver System
- SAP Business Warehouse And SAP Plug-In
Remediation
Refer to SAP Website for patch, upgrade, or suggested workaround information. (Login Required)