Auth bypass in Sap Netweaver_application_server_java
CVE-2025-42926
SAP NetWeaver Application Server Java does not perform an authentication check when an attacker attempts to access internal files within the web application.Upon successfully exploitation, an unauthenticated attacker could access these fil…
Vulnerability class: Broken Authentication
EPSS: 0.003 (19.9th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.
Affected products
- Sap Netweaver_application_server_java — versions 7.50
- Sap_se Sap Netweaver Application Server Java — versions WD-RUNTIME 7.50
Weakness classification (CWE)
References
- cna@sap.com (Permissions Required)
- cna@sap.com (Patch)
Frequently asked questions
- What is CVE-2025-42926?
- CVE-2025-42926 is a medium-severity vulnerability in Sap Netweaver_application_server_java, classified under Missing Authentication for Critical Function. CVSS score: 5.3/10. Published 2025-09-09.
- How severe is CVE-2025-42926?
- Medium severity. CVSS v3 base score is 5.3 out of 10.