CVE-2025-24869
MEDIUMSAP NetWeaver Application Server Java - Info Disclosure
Title source: llmDescription
SAP NetWeaver Application Server Java allows an attacker to access an endpoint that can disclose information about deployed server components, including their XML definitions. This information should ideally be restricted to customer administrators, even though they may not need it. These XML files are not entirely SAP-internal as they are deployed with the server. In such a scenario, sensitive information could be exposed without compromising its integrity or availability.
References (2)
Core 2
Core References
Vendor Advisory
https://me.sap.com/notes/3550027
Vendor Advisory
https://url.sap/sapsecuritypatchday
Scores
CVSS v3
4.3
EPSS
0.0008
EPSS Percentile
22.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-863
Status
published
Products (1)
SAP_SE/SAP NetWeaver Application Server Java
WD-RUNTIME 7.50
Published
Feb 11, 2025
Tracked Since
Feb 18, 2026