CVE-2025-42963 CRITICAL

CVE-2025-42963: Insecure Deserialization in SAP NetWeaver Application Server for Java (Log Viewer )

Vendor Sap_Se

Product SAP NetWeaver Application Server for Java (Log Viewer )

Weakness CWE-502 · Unsafe deserialization

Published July 8, 2025

Last update February 26, 2026

View on NVD All CVEs

CVSS base score

9.1/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

Description

A critical vulnerability in SAP NetWeaver Application server for Java Log Viewer enables authenticated administrator users to exploit unsafe Java object deserialization. Successful exploitation can lead to full operating system compromise, granting attackers complete control over the affected system. This results in a severe impact on the confidentiality, integrity, and availability of the application and host environment.

Key dates

Disclosure timeline

July 8, 2025 CVE published

February 26, 2026 Record updated

Identifiers

CVE CVE-2025-42963

CWE CWE-502

CVSS 9.1 / CRITICAL

Affected versions

Vendor Sap_Se

Product SAP NetWeaver Application Server for Java (Log Viewer )

Affected LMNWABASICAPPS 7.50