Predictable Identifier Vulnerability in SAP NetWeaver AS JAVA IIOP Service
CVE-2025-42925

4.3MEDIUM

Key Information:

Vendor: SAP
Status: SAP Netweaver As Java (iiop Service)
Vendor: CVE Published:; 9 September 2025

What is CVE-2025-42925?

A predictable identifier vulnerability exists in the SAP NetWeaver AS JAVA IIOP service due to insufficient randomness in Object Identifier assignment. An attacker with low privileges, by using a brute force approach, may generate identifiers in close proximity to derive useful information. This flaw could allow the attacker to access limited system details, potentially undermining security without affecting system integrity or availability. Immediate attention is recommended for systems running the affected versions to mitigate any associated risks.

Affected Version(s)

SAP NetWeaver AS Java (IIOP Service) SERVERCORE 7.50

References

https://me.sap.com/notes/3640477

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 9, 2025
Vulnerability Reserved
Apr 16, 2025