CVE-2025-24869 MEDIUM

CVE-2025-24869: Information Disclosure vulnerability in SAP NetWeaver Application Server Java

Vendor Sap_Se

Product SAP NetWeaver Application Server Java

Weakness CWE-863 · Incorrect authorization

Published February 11, 2025

Last update February 18, 2025

View on NVD All CVEs

CVSS base score

4.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

Description

SAP NetWeaver Application Server Java allows an attacker to access an endpoint that can disclose information about deployed server components, including their XML definitions. This information should ideally be restricted to customer administrators, even though they may not need it. These XML files are not entirely SAP-internal as they are deployed with the server. In such a scenario, sensitive information could be exposed without compromising its integrity or availability.

Key dates

Disclosure timeline

February 11, 2025 CVE published

February 18, 2025 Record updated

Identifiers

CVE CVE-2025-24869

CWE CWE-863

CVSS 4.3 / MEDIUM

Affected versions

Vendor Sap_Se

Product SAP NetWeaver Application Server Java

Affected WD-RUNTIME 7.50