CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-42986 – Missing Authorization check in SAP NetWeaver and ABAP Platform
https://notcve.org/view.php?id=CVE-2025-42986
08 Jul 2025 — Due to a missing authorization check in an obsolete RFC enabled function module in SAP BASIS, an authenticated low-privileged attacker could call a Remote Function Call (RFC), potentially accessing restricted system information. This results in low impact on confidentiality, with no impact on integrity or availability of the application. • https://me.sap.com/notes/3626440 • CWE-862: Missing Authorization •
CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-42978 – Insufficiently Secure Hostname Verification for Outbound TLS Connections in SAP NetWeaver Application Server Java
https://notcve.org/view.php?id=CVE-2025-42978
08 Jul 2025 — The widely used component that establishes outbound TLS connections in SAP NetWeaver Application Server Java does not reliably match the hostname that is used for the connection against the wildcard hostname defined in the received certificate of remote TLS server. This might lead to the outbound connection being established to a possibly malicious remote TLS server and hence disclose information. Integrity and Availability are not impacted. • https://me.sap.com/notes/3557179 • CWE-940: Improper Verification of Source of a Communication Channel •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-42974 – Missing Authorization Check in SAP NetWeaver and ABAP Platform (SDCCN)
https://notcve.org/view.php?id=CVE-2025-42974
08 Jul 2025 — Due to missing authorization check, an attacker authenticated as a non-administrative user could call a remote-enabled function module. This could enable access to information normally restricted, resulting in low impact on confidentiality. There is no impact on integrity or availability. • https://me.sap.com/notes/3610056 • CWE-862: Missing Authorization •
CVSS: 5.0EPSS: 0%CPEs: 17EXPL: 0CVE-2025-42968 – Missing Authorization check in SAP NetWeaver (RFC enabled function module)
https://notcve.org/view.php?id=CVE-2025-42968
08 Jul 2025 — SAP NetWeaver allows an authenticated non-administrative user to call the remote-enabled function module which could grants access to non-sensitive information about the SAP system and OS without requiring any specific knowledge or controlled conditions. This leads to a low impact on confidentiality with no effect on integrity or availability of the application. • https://me.sap.com/notes/3621037 • CWE-862: Missing Authorization •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-42963 – Insecure Deserialization in SAP NetWeaver Application Server for Java (Log Viewer )
https://notcve.org/view.php?id=CVE-2025-42963
08 Jul 2025 — A critical vulnerability in SAP NetWeaver Application server for Java Log Viewer enables authenticated administrator users to exploit unsafe Java object deserialization. Successful exploitation can lead to full operating system compromise, granting attackers complete control over the affected system. This results in a severe impact on the confidentiality, integrity, and availability of the application and host environment. • https://me.sap.com/notes/3621771 • CWE-502: Deserialization of Untrusted Data •
CVSS: 3.3EPSS: 0%CPEs: 17EXPL: 0CVE-2025-42954 – Denial of service (DOS) in SAP NetWeaver Business Warehouse (CCAW application)
https://notcve.org/view.php?id=CVE-2025-42954
08 Jul 2025 — SAP NetWeaver Business Warehouse CCAW application allows a privileged attacker to cause a high CPU load by executing a RFC enabled function modules without any input parameters, which results in reduced performance or interrupted operation of the affected resource. This leads to low impact on availability of the application, there is no impact on confidentiality and integrity. • https://me.sap.com/notes/3608156 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 9.6EPSS: 0%CPEs: 4EXPL: 0CVE-2025-42989 – Missing Authorization check in SAP NetWeaver Application Server for ABAP
https://notcve.org/view.php?id=CVE-2025-42989
10 Jun 2025 — RFC inbound processing�does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. On successful exploitation the attacker could critically impact both integrity and availability of the application. • https://me.sap.com/notes/3600840 • CWE-862: Missing Authorization •
CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2025-42977 – Directory Traversal vulnerability in SAP NetWeaver Visual Composer
https://notcve.org/view.php?id=CVE-2025-42977
10 Jun 2025 — SAP NetWeaver Visual Composer contains a Directory Traversal vulnerability caused by insufficient validation of input paths provided by a high-privileged user. This allows an attacker to read or modify arbitrary files, resulting in a high impact on confidentiality and a low impact on integrity. • https://me.sap.com/notes/3610591 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.1EPSS: 18%CPEs: 1EXPL: 0CVE-2025-42999 – SAP NetWeaver Deserialization Vulnerability
https://notcve.org/view.php?id=CVE-2025-42999
13 May 2025 — SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system. SAP NetWeaver Visual Composer Metadata Uploader contains a deserialization vulnerability that allows a privileged attacker to compromise the confidentiality, integrity, and availability of the host system by deserializing untrusted or malicious content... • https://me.sap.com/notes/3604119 • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 66%CPEs: 1EXPL: 19CVE-2025-31324 – SAP NetWeaver Unrestricted File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2025-31324
24 Apr 2025 — SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system. SAP NetWeaver Visual Composer Metadata Uploader contains an unrestricted file upload vulnerability that allows an unauthenticated agent to upload potentially malicious executable binaries. • https://github.com/rxerium/CVE-2025-31324 • CWE-434: Unrestricted Upload of File with Dangerous Type •