SAP NetWeaver XML Data Archiving Service: Insecure Java Deserialization (CVE-2025-42966)
CVE-2025-42966 Published on July 8, 2025

Insecure Deserialization vulnerability in SAP NetWeaver (XML Data Archiving Service)
SAP NetWeaver XML Data Archiving Service allows an authenticated attacker with administrative privileges to exploit an insecure Java deserialization vulnerability by sending a specially crafted serialized Java object. This could lead to high impact on confidentiality, integrity, and availability of the application.

NVD

Vulnerability Analysis

CVE-2025-42966 is exploitable with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
HIGH
User Interaction:
NONE
Scope:
CHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Type

What is a Marshaling, Unmarshaling Vulnerability?

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

CVE-2025-42966 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.


Products Associated with CVE-2025-42966

Want to know whenever a new CVE is published for SAP NetWeaver? stack.watch will email you.

SAP NetWeaver
 

Affected Versions

SAP_SE SAP NetWeaver (XML Data Archiving Service) Version J2EE-APPS 7.50 is affected by CVE-2025-42966

Exploit Probability

EPSS
0.14%
Percentile
34.18%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.