CVE-2025-42925

EPSS 0.04%
Veröffentlicht 09.09.2025 02:15:40
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle cna@sap.com
CVE-Watchlists
Login
Unerledigt
Login

Predictable Object Identifier vulnerability in SAP NetWeaver AS Java (IIOP Service)

Due to the lack of randomness in assigning Object Identifiers in the SAP NetWeaver AS JAVA IIOP service, an authenticated attacker with low privileges could predict the identifiers by conducting a brute force search. By leveraging knowledge of several identifiers generated close to the same time, the attacker could determine a desired identifier which could enable them to access limited system information. This poses a low risk to confidentiality without impacting the integrity or availability of the service.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 5

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerSAP_SE

≫

Produkt SAP NetWeaver AS Java (IIOP Service)

Default Statusunaffected

Version SERVERCORE 7.50

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.125

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
cna@sap.com	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE-341 Predictable from Observable State

A number or object is predictable based on observations that the attacker can make about the state of the system or network, such as time, process ID, etc.

https://url.sap/sapsecuritypatchday

https://me.sap.com/notes/3640477

https://nvd.nist.gov/vuln/detail/CVE-2025-42925

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-42925

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-42925

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-42925