Home

Description

Due to the lack of randomness in assigning Object Identifiers in the SAP NetWeaver AS JAVA IIOP service, an authenticated attacker with low privileges could predict the identifiers by conducting a brute force search. By leveraging knowledge of several identifiers generated close to the same time, the attacker could determine a desired identifier which could enable them to access limited system information. This poses a low risk to confidentiality without impacting the integrity or availability of the service.

PUBLISHED Reserved 2025-04-16 | Published 2025-09-09 | Updated 2025-09-09 | Assigner sap




MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Problem types

CWE-341: Predictable from Observable State

Product status

Default status
unaffected

SERVERCORE 7.50
affected

References

me.sap.com/notes/3640477

url.sap/sapsecuritypatchday

cve.org (CVE-2025-42925)

nvd.nist.gov (CVE-2025-42925)

Download JSON