SAP NetWeaver App Server Java Info Disclosure via XML Endpoint
CVE-2025-24869 Published on February 11, 2025
Information Disclosure vulnerability in SAP NetWeaver Application Server Java
SAP NetWeaver Application Server Java allows an attacker to access an endpoint that can disclose information about deployed server components, including their XML definitions. This information should ideally be restricted to customer administrators, even though they may not need it. These XML files are not entirely SAP-internal as they are deployed with the server. In such a scenario, sensitive information could be exposed without compromising its integrity or availability.
Vulnerability Analysis
CVE-2025-24869 can be exploited with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.
Weakness Type
What is an AuthZ Vulnerability?
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.
CVE-2025-24869 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2025-24869
Want to know whenever a new CVE is published for SAP Netweaver Application Server Java? stack.watch will email you.
Affected Versions
SAP_SE SAP NetWeaver Application Server Java Version WD-RUNTIME 7.50 is affected by CVE-2025-24869Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.