SecuriTricks - CVE-2025-42874

Description

SAP NetWeaver remote service for Xcelsius allows an attacker with network access and high privileges to execute arbitrary code on the affected system due to insufficient input validation and improper handling of remote method calls. Exploitation does not require user interaction and could lead to service disruption or unauthorized system control. This has high impact on integrity and availability, with no impact on confidentiality.

Product(s) Impacted

Vendor	Product	Versions
Sap	Netweaver Xcelsius	* *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-405

Asymmetric Resource Consumption (Amplification)

The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	sap	netweaver	/	/	/	/	/	/	/	/
a	sap	xcelsius	/	/	/	/	/	/	/	/

References

https://me.sap.com/notes/3640185

https://url.sap/sapsecuritypatchday

CVSS Score

7.9 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: HIGH
Privileges Required: HIGH
Scope: CHANGED
Confidentiality Impact: LOW
Integrity Impact: HIGH
Availability Impact: HIGH

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:H/A:H

View Vector String

Timeline

Published: Dec. 9, 2025, 4:17 p.m.
Last Modified: Dec. 9, 2025, 6:36 p.m.

Status : Awaiting Analysis

CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

More info

Source

cna@sap.com

CVE-2025-42874