CVE-2025-24869 — Incorrect Authorization in SE SAP Netweaver Application Server Java

CWE-863 — Incorrect Authorization3 documents3 sources

Severity

4.3MEDIUMNVD

EPSS

0.1%

top 77.24%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Netweaver Application Server Java

Timeline

PublishedFeb 11

Description

SAP NetWeaver Application Server Java allows an attacker to access an endpoint that can disclose information about deployed server components, including their XML definitions. This information should ideally be restricted to customer administrators, even though they may not need it. These XML files are not entirely SAP-internal as they are deployed with the server. In such a scenario, sensitive information could be exposed without compromising its integrity or availability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

▶CVEListV5sap_se/sap_netweaver_application_server_javaWD-RUNTIME 7.50

🔴Vulnerability Details

GHSA

GHSA-5hch-xqwm-qw7j: SAP NetWeaver Application Server Java allows an attacker to access an endpoint that can disclose information about deployed server components, includi↗2025-02-11

▶

CVEList

Information Disclosure vulnerability in SAP NetWeaver Application Server Java↗2025-02-11

▶