Auth bypass in Sap Netweaver_application_server_java

CVE-2025-42926

SAP NetWeaver Application Server Java does not perform an authentication check when an attacker attempts to access internal files within the web application.Upon successfully exploitation, an unauthenticated attacker could access these fil…

Vulnerability class: Broken Authentication

EPSS: 0.003 (19.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.

Affected products

Weakness classification (CWE)

References

Frequently asked questions

What is CVE-2025-42926?
CVE-2025-42926 is a medium-severity vulnerability in Sap Netweaver_application_server_java, classified under Missing Authentication for Critical Function. CVSS score: 5.3/10. Published 2025-09-09.
How severe is CVE-2025-42926?
Medium severity. CVSS v3 base score is 5.3 out of 10.