TLS Connection Vulnerability in SAP NetWeaver Application Server Java
CVE-2025-42978

3.5LOW

Key Information:

Vendor: SAP
Status: SAP Netweaver Application Server Java
Vendor: CVE Published:; 8 July 2025

What is CVE-2025-42978?

The SAP NetWeaver Application Server Java component responsible for outbound TLS connections has a security flaw that fails to adequately verify the hostname against the wildcard hostname specified in the remote TLS server's certificate. This oversight can result in establishing a connection to a potentially malicious server, leading to the risk of information disclosure. While the integrity and availability of the service remain unaffected, addressing this vulnerability is crucial to maintain secure communication and protect sensitive data.

Affected Version(s)

SAP NetWeaver Application Server Java ENGINEAPI 7.50

References

https://me.sap.com/notes/3557179

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

3.5

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 8, 2025
Vulnerability Reserved
Apr 16, 2025