Remote Function Access Vulnerability in SAP NetWeaver
CVE-2025-42968

5MEDIUM

Key Information:

Vendor: SAP
Status: SAP Netweaver (rfc Enabled Function Module)
Vendor: CVE Published:; 8 July 2025

What is CVE-2025-42968?

The vulnerability in SAP NetWeaver allows authenticated non-administrative users to call a remote-enabled function module. This capability can grant unnecessary access to non-sensitive system details and operating system information without the need for specialized knowledge or a controlled environment. This situation can lead to concerns regarding the confidentiality of the system, as unauthorized insights into the SAP infrastructure may be exposed.

Affected Version(s)

SAP NetWeaver (RFC enabled function module) SAP_BW 700

SAP NetWeaver (RFC enabled function module) 701

SAP NetWeaver (RFC enabled function module) 702

References

https://me.sap.com/notes/3621037

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 8, 2025
Vulnerability Reserved
Apr 16, 2025