CVE-2025-42884 MEDIUM

CVE-2025-42884: JNDI Injection vulnerability in SAP NetWeaver Enterprise Portal

Vendor Sap_Se
Product SAP NetWeaver Enterprise Portal
Weakness CWE-943
Published November 11, 2025
Last update November 12, 2025

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

SAP NetWeaver Enterprise Portal allows an unauthenticated attacker to inject JNDI environment properties or pass a URL used during JNDI lookup operations, enabling access to an unintended JNDI provider.�This could further lead to disclosure or modification of information about the server. There is no impact on availability.

Key dates

02Disclosure timeline

November 11, 2025 CVE published
November 12, 2025 Record updated