Advisory
A note with CVSS 6.5 for component EP-PIN-APF-CAT was released by SAP on 11.11.2025. The correction/advisory 3660969 was described with "[CVE-2025-42884] JNDI Injection vulnerability in SAP NetWeaver Enterprise Portal" and affects the system type Java.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance.
The vulnerability addressed is command injection within Java.
Risk specification
SAP NetWeaver Enterprise Portal allows an unauthenticated attacker to inject JNDI environment properties or provide a URL used during JNDI lookup operations, resulting in access to an unintended JNDI provider.Solution
The request parameters are now properly validated to prevent a successful JNDI injection.
Affected System
SAP Netweaver Application Server Java is part of the SAP NetWeaver Application Platform. It provides the complete infrastructure for deploying and running Java applications.
- The AS Java Home: SAP Netweaver Application Server Java wiki
- A dedicated SAP NetWeaver 7.40 Application Server for Java Security Guide exists.
The advisory is valid for
- 9.9 [CVE-2021-38163] Unrestricted File Upload vulnerability in SAP NetWeaver (Visual Composer 7.0 RT)
- 7.2 [CVE-2020-6234] Privilege Escalation in SAP Host Agent
- 7.2 [CVE-2020-6191] Missing Input Validation in SAP Landscape Management
- 7.2 [CVE-2020-6192] Missing Input Validation in SAP Landscape Management
- 7.2 [CVE-2020-6236] Privilege Escalation in SAP Landscape Management (SAP Adaptive Extensions)
