CVE-2025-42966 PUBLISHED

Insecure Deserialization vulnerability in SAP NetWeaver (XML Data Archiving Service)

Assigner: sap
Reserved: 16.04.2025 Published: 08.07.2025 Updated: 09.07.2025

SAP NetWeaver XML Data Archiving Service allows an authenticated attacker with administrative privileges to exploit an insecure Java deserialization vulnerability by sending a specially crafted serialized Java object. This could lead to high impact on confidentiality, integrity, and availability of the application.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 9.1

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	High	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	SAP_SE
Product	SAP NetWeaver (XML Data Archiving Service)
Versions	Default: unaffected Version J2EE-APPS 7.50 is affected

References

https://me.sap.com/notes/3610892
https://url.sap/sapsecuritypatchday

CVE-2025-42966 PUBLISHED

Insecure Deserialization vulnerability in SAP NetWeaver (XML Data Archiving Service)

Metrics

Product Status

References

Problem Types