CVE-2025-42978 — Improper Verification of Source of a Communication Channel in SE SAP Netweaver Application Server Java

CWE-940 — Improper Verification of Source of a Communication Channel3 documents3 sources

Severity

3.5LOWNVD

EPSS

0.0%

top 92.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Netweaver Application Server Java

Timeline

PublishedJul 8

Description

The widely used component that establishes outbound TLS connections in SAP NetWeaver Application Server Java does not reliably match the hostname that is used for the connection against the wildcard hostname defined in the received certificate of remote TLS server. This might lead to the outbound connection being established to a possibly malicious remote TLS server and hence disclose information. Integrity and Availability are not impacted.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:NExploitability: 2.1 | Impact: 1.4

Affected Packages1 packages

▶CVEListV5sap_se/sap_netweaver_application_server_javaENGINEAPI 7.50

🔴Vulnerability Details

GHSA

GHSA-2hqw-mcx8-2828: The widely used component that establishes outbound TLS connections in SAP NetWeaver Application Server Java does not reliably match the hostname that↗2025-07-08

▶

CVEList

Insufficiently Secure Hostname Verification for Outbound TLS Connections in SAP NetWeaver Application Server Java↗2025-07-08

▶