CVE-2025-42926 MEDIUM

CVE-2025-42926: Missing Authentication check in SAP NetWeaver Application Server Java

Vendor Sap_Se

Product SAP NetWeaver Application Server Java

Weakness CWE-306 · Missing auth

Published September 9, 2025

Last update September 9, 2025

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

Description

SAP NetWeaver Application Server Java does not perform an authentication check when an attacker attempts to access internal files within the web application.Upon successfully exploitation, an unauthenticated attacker could access these files to gather additional sensitive information about the system.This vulnerability has a low impact on confidentiality and does not affect the integrity or availability of the server.

Key dates

Disclosure timeline

September 9, 2025 CVE published

September 9, 2025 Record updated

Identifiers

CVE CVE-2025-42926

CWE CWE-306

CVSS 5.3 / MEDIUM

Affected versions

Vendor Sap_Se

Product SAP NetWeaver Application Server Java

Affected WD-RUNTIME 7.50