CVE-2025-42925
BaseFortify
Publication date: 2025-09-09
Last updated on: 2025-09-09
Assigner: SAP SE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sap | sap_netweaver | 3.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-341 | A number or object is predictable based on observations that the attacker can make about the state of the system or network, such as time, process ID, etc. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists because the SAP NetWeaver AS JAVA IIOP service assigns Object Identifiers without sufficient randomness. An authenticated attacker with low privileges can predict these identifiers by performing a brute force search, especially if they have knowledge of several identifiers generated around the same time. This allows the attacker to determine a specific identifier to access limited system information.
How can this vulnerability impact me? :
The vulnerability poses a low risk to confidentiality as it could allow an attacker to access limited system information. However, it does not impact the integrity or availability of the service.