TLS Connection Vulnerability in SAP NetWeaver Application Server Java
CVE-2025-42978

3.5LOW

Key Information:

Vendor

SAP

Vendor
CVE Published:
8 July 2025

What is CVE-2025-42978?

The SAP NetWeaver Application Server Java component responsible for outbound TLS connections has a security flaw that fails to adequately verify the hostname against the wildcard hostname specified in the remote TLS server's certificate. This oversight can result in establishing a connection to a potentially malicious server, leading to the risk of information disclosure. While the integrity and availability of the service remain unaffected, addressing this vulnerability is crucial to maintain secure communication and protect sensitive data.

Affected Version(s)

SAP NetWeaver Application Server Java ENGINEAPI 7.50

References

CVSS V3.1

Score:
3.5
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-42978 : TLS Connection Vulnerability in SAP NetWeaver Application Server Java