← back
CVE-2025-42926

Missing Authentication check in SAP NetWeaver Application Server Java

CVSS 5.3 MEDIUMEPSS 0.3%CWE-306
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 5.3EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
09 Sep 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
SAP NetWeaver Application Server Java does not perform an authentication check when an attacker attempts to access internal files within the web application.Upon successfully exploitation, an unauthenticated attacker could access these files to gather additional sensitive information about the system.This vulnerability has a low impact on confidentiality and does not affect the integrity or availability of the server.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Affected products
SAP_SE · SAP NetWeaver Application Server Java

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://me.sap.com/notes/3619465https://url.sap/sapsecuritypatchday