JNDI Injection Vulnerability in SAP NetWeaver Enterprise Portal
CVE-2025-42884

6.5MEDIUM

Key Information:

Vendor: SAP
Status: SAP Netweaver Enterprise Portal
Vendor: CVE Published:; 11 November 2025

What is CVE-2025-42884?

The vulnerability affects the SAP NetWeaver Enterprise Portal, where an unauthenticated attacker can exploit the system to inject JNDI environment properties. This manipulation enables attackers to pass malicious URLs during JNDI lookup operations, potentially granting unauthorized access to unintended JNDI providers. Such exposure could lead to the disclosure or unauthorized modification of sensitive information regarding the server. Nevertheless, it does not affect the operational availability of the service.

Affected Version(s)

SAP NetWeaver Enterprise Portal EP-BASIS 7.50

SAP NetWeaver Enterprise Portal EP-RUNTIME 7.50

References

https://me.sap.com/notes/3660969

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 11, 2025
Vulnerability Reserved
Apr 16, 2025

JSON