SAP NetWeaver AS Java: Auth Gap Lets Users Create JCo Entries
CVE-2025-0067 Published on January 14, 2025

Missing Authorization check in SAP NetWeaver Application Server Java
Due to a missing authorization check on service endpoints in the SAP NetWeaver Application Server Java, an attacker with standard user role can create JCo connection entries, which are used for remote function calls from or to the application server. This could lead to low impact on confidentiality, integrity, and availability of the application.

NVD

Vulnerability Analysis

CVE-2025-0067 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be low. considered to have a small impact on confidentiality and integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
LOW
Availability Impact:
LOW

Weakness Type

What is an AuthZ Vulnerability?

The software does not perform an authorization check when an actor attempts to access a resource or perform an action.

CVE-2025-0067 has been classified to as an AuthZ vulnerability or weakness.


Affected Versions

SAP_SE SAP NetWeaver Application Server Java Version WD-RUNTIME 7.50 is affected by CVE-2025-0067

Exploit Probability

EPSS
0.06%
Percentile
18.14%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.