CVE-2025-42911

CWE-862 — Missing Authorization3 documents3 sources

Severity

4.3MEDIUM

EPSS

0.0%

top 89.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Netweaver (service Data Download)SAP SAP Basis

Timeline

PublishedSep 9

Description

SAP NetWeaver (Service Data Download) allows an authenticated user to call a remote-enabled function module, which could grant access to information about the SAP system and operating system. This leads to a low impact on confidentiality, with no effect on the integrity and availability of the application

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:NExploitability: 3.1 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5sap_se/sap_netweaver_(service_data_download)15 versions+14

▶NVDsap/sap_basis15 versions+14

Patches

Patch: url.sap ↗

🔴Vulnerability Details

CVEList

Missing Authorization check in SAP NetWeaver (Service Data Download)↗2025-09-09

▶

GHSA

GHSA-27gw-jcg6-cwrf: SAP NetWeaver (Service Data Download) allows an authenticated user to call a remote-enabled function module, which could grant access to information a↗2025-09-09

▶