CVE-2025-42968Missing Authorization in SE SAP Netweaver

CWE-862Missing Authorization3 documents3 sources
Severity
4.3MEDIUMNVD
CNA5.0
EPSS
0.1%
top 83.78%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
SAP SE SAP NetweaverSAP Netweaver
Timeline
PublishedJul 8

Description

SAP NetWeaver allows an authenticated non-administrative user to call the remote-enabled function module which could grants access to non-sensitive information about the SAP system and OS without requiring any specific knowledge or controlled conditions. This leads to a low impact on confidentiality with no effect on integrity or availability of the application.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

NVDsap/netweaver18 versions+17
CVEListV5sap_se/sap_netweaver18 versions+17

Patches

Patch: url.sap

🔴Vulnerability Details

2
CVEList
Missing Authorization check in SAP NetWeaver (RFC enabled function module)2025-07-08
GHSA
GHSA-hv7q-mjj7-m8vj: SAP NetWeaver allows an authenticated non-administrative user to call the remote-enabled function module which could grants access to non-sensitive in2025-07-08
CVE-2025-42968 — Missing Authorization | cvebase