CVE-2025-42926: 
SAP NetWeaver Application Server Java Analisi e mitigazione delle vulnerabilità

CVE-2025-42926 is a missing authentication vulnerability in SAP NetWeaver Application Server Java (version 7.50) that allows unauthenticated remote attackers to access internal files within the web application. The vulnerability was published on September 9, 2025, and a patch was made available via SAP's September 2025 Security Patch Day. It carries a CVSS v3.1 base score of 5.3 (Medium), reflecting a low confidentiality impact with no effect on integrity or availability (Red Hat CVE, SAP Security Notes).

The root cause is classified as CWE-306 (Missing Authentication for Critical Function): SAP NetWeaver AS Java fails to enforce authentication checks when requests are made to access internal web application files. An unauthenticated attacker can send crafted network requests directly to the affected endpoint without any credentials, user interaction, or elevated privileges, exploiting the absence of access controls to retrieve internal files. The attack vector is network-based with low complexity, making it straightforward to exploit remotely (Red Hat CVE, ENISA EUVD).

Successful exploitation allows an unauthenticated attacker to read internal files within the SAP NetWeaver AS Java web application, potentially exposing sensitive system configuration data, credentials, or other information useful for further attacks. The confidentiality impact is rated low, and there is no impact on system integrity or availability. While the direct impact is limited, the exposed information could facilitate reconnaissance for more severe follow-on attacks against the SAP environment (Red Hat CVE, Onapsis Blog).

SAP has released a patch for NetWeaver Application Server Java version 7.50 as part of the September 2025 Security Patch Day (SAP Security Note 3619465). Organizations should apply this patch immediately. As interim mitigations, restrict network access to the SAP NetWeaver AS Java instance, implement additional perimeter authentication controls, and monitor access logs for unauthorized requests to internal web application paths (SAP Security Notes, ENISA EUVD).

SAP's September 2025 Patch Day, which included CVE-2025-42926 among 21 vulnerabilities addressed, received coverage from SAP security specialists including Onapsis, SecurityBridge, and RedRays, who highlighted the broader patch release context (Onapsis Blog, SecurityBridge Blog, RedRays Blog). General security news outlets such as GBHackers and CyberSecurityNews also covered the September 2025 patch day, though coverage of this specific CVE was limited given its medium severity relative to critical issues patched in the same cycle (GBHackers, CyberSecurityNews).