Detections
Analytics

SAP NetWeaver AS Java Multiple Vulnerabilities (July 2025)

critical Nessus Plugin ID 241707

Language:

Synopsis

The remote SAP NetWeaver application server is affected by multiple vulnerabilities.

Description

SAP NetWeaver Application Server for Java is affected by multiple vulnerabilities, including the following:

 - A critical vulnerability in SAP NetWeaver Application server for Java Log Viewer enables authenticated administrator users to exploit unsafe Java object deserialization. Successful exploitation can lead to full operating system compromise, granting attackers complete control over the affected system.
 (CVE-2025-42963)

 - The widely used component that establishes outbound TLS connections in SAP NetWeaver Application Server Java does not reliably match the hostname that is used for the connection against the wildcard hostname defined in the received certificate of remote TLS server. This might lead to the outbound connection being established to a possibly malicious remote TLS server and hence disclose information. (CVE-2025-42978)

Note that Nessus has not tested for these issue but has instead relied only on the application's self-reported version number.

Solution

Apply the appropriate patch according to the vendor advisory.

See Also

http://www.nessus.org/u?689b7591

https://me.sap.com/notes/3621771

https://me.sap.com/notes/3557179

Plugin Details

Severity: Critical

ID: 241707

File Name: sap_netweaver_as_java_jul_2025.nasl

Version: 1.2

Type: remote

Family: Web Servers

Published: 7/10/2025

Updated: 7/11/2025

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.3

CVSS v2

Risk Factor: High

Base Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:M/C:C/I:C/A:C

CVSS Score Source: CVE-2025-42963

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/a:sap:netweaver_application_server

Required KB Items: installed_sw/SAP Netweaver Application Server (AS), Settings/ParanoidReport

Patch Publication Date: 7/8/2025

Vulnerability Publication Date: 7/8/2025

Reference Information

CVE: CVE-2025-42963, CVE-2025-42978

IAVA: 2025-A-0505