Detections
Analytics
SAP NetWeaver AS Java DoS (December 2025)
high Nessus Plugin ID 278309
Language:
Synopsis
The remote SAP NetWeaver application server is affected by a denial of service vulnerability.Description
The version of SAP NetWeaver Application Server for Java detected on the remote host is affected by a denial of service vulnerability as disclosed in the SAP Security Patch Day December 2025:- SAP NetWeaver remote service for Xcelsius allows an attacker with network access and high privileges to execute arbitrary code on the affected system due to insufficient input validation and improper handling of remote method calls. Exploitation does not require user interaction and could lead to service disruption or unauthorized system control. This has high impact on integrity and availability, with no impact on confidentiality. (CVE-2025-42874)
Note that Nessus has not tested for these issue but has instead relied only on the application's self-reported version number.
Solution
Apply the appropriate patch according to the vendor advisory.See Also
Plugin Details
Severity: High
ID: 278309
File Name: sap_netweaver_as_java_dec_2025.nasl
Version: 1.3
Type: remote
Family: Web Servers
Published: 12/11/2025
Updated: 2/25/2026
Configuration: Enable paranoid mode
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 6.5
CVSS v2
Risk Factor: Medium
Base Score: 6.4
Temporal Score: 4.7
Vector: CVSS2#AV:N/AC:H/Au:M/C:P/I:C/A:C
CVSS Score Source: CVE-2025-42874
CVSS v3
Risk Factor: High
Base Score: 7.9
Temporal Score: 6.9
Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:H/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:sap:netweaver_application_server
Required KB Items: installed_sw/SAP Netweaver Application Server (AS), Settings/ParanoidReport
Exploit Ease: No known exploits are available
Patch Publication Date: 12/9/2025
Vulnerability Publication Date: 12/9/2025
Reference Information
CVE: CVE-2025-42874
IAVA: 2025-A-0898