Detections
Analytics

SAP NetWeaver AS Java DoS (December 2025)

high Nessus Plugin ID 278309

Language:

Synopsis

The remote SAP NetWeaver application server is affected by a denial of service vulnerability.

Description

The version of SAP NetWeaver Application Server for Java detected on the remote host is affected by a denial of service vulnerability as disclosed in the SAP Security Patch Day December 2025:

 - SAP NetWeaver remote service for Xcelsius allows an attacker with network access and high privileges to execute arbitrary code on the affected system due to insufficient input validation and improper handling of remote method calls. Exploitation does not require user interaction and could lead to service disruption or unauthorized system control. This has high impact on integrity and availability, with no impact on confidentiality. (CVE-2025-42874)

Note that Nessus has not tested for these issue but has instead relied only on the application's self-reported version number.

Solution

Apply the appropriate patch according to the vendor advisory.

See Also

http://www.nessus.org/u?238b0a82

https://me.sap.com/notes/3640185

Plugin Details

Severity: High

ID: 278309

File Name: sap_netweaver_as_java_dec_2025.nasl

Version: 1.2

Type: remote

Family: Web Servers

Published: 12/11/2025

Updated: 12/12/2025

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.3

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Vector: CVSS2#AV:N/AC:H/Au:S/C:P/I:C/A:C

CVSS Score Source: CVE-2025-42874

CVSS v3

Risk Factor: High

Base Score: 7.9

Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:H/A:H

Vulnerability Information

CPE: cpe:/a:sap:netweaver_application_server

Required KB Items: installed_sw/SAP Netweaver Application Server (AS), Settings/ParanoidReport

Patch Publication Date: 12/9/2025

Vulnerability Publication Date: 12/9/2025

Reference Information

CVE: CVE-2025-42874

IAVA: 2025-A-0898