CVE-2025-42925Predictable from Observable State in SE SAP Netweaver AS Java

CWE-341Predictable from Observable State3 documents3 sources
Severity
4.3MEDIUMNVD
EPSS
0.0%
top 88.83%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
SAP SE SAP Netweaver AS Java
Timeline
PublishedSep 9

Description

Due to the lack of randomness in assigning Object Identifiers in the SAP NetWeaver AS JAVA IIOP service, an authenticated attacker with low privileges could predict the identifiers by conducting a brute force search. By leveraging knowledge of several identifiers generated close to the same time, the attacker could determine a desired identifier which could enable them to access limited system information. This poses a low risk to confidentiality without impacting the integrity or availability o

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

CVEListV5sap_se/sap_netweaver_as_javaSERVERCORE 7.50

🔴Vulnerability Details

2
GHSA
GHSA-8wc6-6cpf-9jh3: Due to the lack of randomness in assigning Object Identifiers in the SAP NetWeaver AS JAVA IIOP service, an authenticated attacker with low privileges2025-09-09
CVEList
Predictable Object Identifier vulnerability in SAP NetWeaver AS Java (IIOP Service)2025-09-09
CVE-2025-42925 — Predictable from Observable State | cvebase