CVE-2025-42926

CWE-306 — Missing Authentication3 documents3 sources

Severity

5.3MEDIUM

EPSS

0.1%

top 75.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Netweaver Application Server Java SAP Netweaver Application Server Java

Timeline

PublishedSep 9

Description

SAP NetWeaver Application Server Java does not perform an authentication check when an attacker attempts to access internal files within the web application.Upon successfully exploitation, an unauthenticated attacker could access these files to gather additional sensitive information about the system.This vulnerability has a low impact on confidentiality and does not affect the integrity or availability of the server.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5sap_se/sap_netweaver_application_server_javaWD-RUNTIME 7.50

▶NVDsap/netweaver_application7.50

Patches

Patch: url.sap ↗

🔴Vulnerability Details

GHSA

GHSA-cwj5-q4hx-xggm: SAP NetWeaver Application Server Java does not perform an authentication check when an attacker attempts to access internal files within the web appli↗2025-09-09

▶

CVEList

Missing Authentication check in SAP NetWeaver Application Server Java↗2025-09-09

▶