CVE-2025-42919

Information Disclosure vulnerability in SAP NetWeaver Application Server Java

CVSS 5.3 MEDIUMEPSS 0.4%CWE-22

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 5.3EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

11 Nov 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Due to an Information Disclosure vulnerability in SAP NetWeaver Application Server Java, internal metadata files could be accessed via manipulated URLs. An unauthenticated attacker could exploit this vulnerability by inserting arbitrary path components in the request, allowing unauthorized access to sensitive application metadata. This results in a partial compromise of the confidentiality of the information without affecting the integrity or availability of the application server.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected products

SAP_SE · SAP NetWeaver Application Server Java

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://me.sap.com/notes/3643603 https://url.sap/sapsecuritypatchday