CVE-2025-42928

Published Dec 9, 2025

Last updated 11 days ago

CVSS critical 9.1
SAP

Overview

Description
Under certain conditions, a high privileged user could exploit a deserialization vulnerability in SAP jConnect to launch remote code execution. The system may be vulnerable when specially crafted input is used to exploit the vulnerability resulting in high impact on confidentiality, integrity and availability of the system.
Source
cna@sap.com
NVD status
Deferred

Risk scores

CVSS 3.1

Type
Primary
Base score
9.1
Impact score
6
Exploitability score
2.3
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

cna@sap.com
CWE-502

Social media

Hype score
Not currently trending

  1. SAP 2025年12月セキュリティパッチを公開-Solution Managerなど3件のクリティカルな脆弱性に注意(CVE-2025-42880,CVE-2025-55754 / CVE-2025-55752,CVE-2025-42928) https://t.co/NAvVnZLUcC #セキュリティ対策Lab #セキュリティ #Security

    @securityLab_jp

    11 Dec 2025

    126 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. [CVE-2025-42928: CRITICAL] Warning: SAP jConnect vulnerability allows high privileged user to execute remote code through deserialization flaw. Confidentiality, integrity, and availability at risk. #CyberSec...#cve,CVE-2025-42928,#cybersecurity https://t.co/8d5vcX17RC https://t.c

    @CveFindCom

    9 Dec 2025

    18 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🚨 CRITICAL: SAP jConnect - SDK for ASE hit by CVE-2025-42928 (CVSS 9.1)! High-privileged users can trigger remote code execution. Patch ASAP to protect your enterprise systems. Details: https://t.co/PNUHKeHeJK... https://t.co/8IkJg3M9Dq

    @offseq

    9 Dec 2025

    66 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Related CVEs

  1. Due to an uncontrolled resource consumption (Denial of Service) vulnerability, an authenticated attacker with regular user privileges and network access can repeatedly invoke a remote-enabled function module with an excessively large loop-control parameter. This triggers prolonged loop execution that consumes excessive system resources, potentially rendering the system unavailable. Successful exploitation results in a denial-of-service condition that impacts availability, while confidentiality and integrity remain unaffected.CVE-2026-27689
  2. SAP NetWeaver Enterprise Portal Administration is vulnerable if a privileged user uploads untrusted or malicious content that, upon deserialization, could result in a high impact on the confidentiality, integrity, and availability of the host system.CVE-2026-27685
  3. SAP Solution Tools Plug-In (ST-PI) contains a function module that does not perform the necessary authorization checks for authenticated users, allowing sensitive information to be disclosed. This vulnerability has a high impact on confidentiality and does not affect integrity or availability.CVE-2026-24322
  4. SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated attacker with normal privileges to obtain a valid signed message and send modified signed XML documents to the verifier. This may result in acceptance of tampered identity information, unauthorized access to sensitive user data and potential disruption of normal system usage.CVE-2026-23687
  5. Due to an uncontrolled resource consumption (Denial of Service) vulnerability, an authenticated attacker with regular user privileges and network access can repeatedly invoke a remote-enabled function module with an excessively large loop-control parameter. This triggers prolonged loop execution that consumes excessive system resources, potentially rendering the system unavailable. Successful exploitation results in a denial-of-service condition that impacts availability, while confidentiality and integrity remain unaffected.CVE-2026-23689

References

Sources include official advisories and independent security research.