CVE-2025-42925 MEDIUM

CVE-2025-42925: Predictable Object Identifier vulnerability in SAP NetWeaver AS Java (IIOP Service)

Vendor Sap_Se

Product SAP NetWeaver AS Java (IIOP Service)

Weakness CWE-341

Published September 9, 2025

Last update September 9, 2025

View on NVD All CVEs

CVSS base score

4.3/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

Description

Due to the lack of randomness in assigning Object Identifiers in the SAP NetWeaver AS JAVA IIOP service, an authenticated attacker with low privileges could predict the identifiers by conducting a brute force search. By leveraging knowledge of several identifiers generated close to the same time, the attacker could determine a desired identifier which could enable them to access limited system information. This poses a low risk to confidentiality without impacting the integrity or availability of the service.

Key dates

Disclosure timeline

September 9, 2025 CVE published

September 9, 2025 Record updated

Identifiers

CVE CVE-2025-42925

CWE CWE-341

CVSS 4.3 / MEDIUM

Affected versions

Vendor Sap_Se

Product SAP NetWeaver AS Java (IIOP Service)

Affected SERVERCORE 7.50