Cyber Resilience

CVE-2025-42928

CriticalRCE

Published: 09 December 2025

Published
09 December 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0198 84.0th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-42928 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Sap (inferred from references). Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 16.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-42928 is a deserialization vulnerability, tracked under CWE-502, that affects SAP jConnect. Under certain conditions, specially crafted input can be supplied to the component, enabling remote code execution with high impact on the confidentiality, integrity, and availability of the affected system. The vulnerability carries a CVSS 3.1 score of 9.1.

A high-privileged user with network access can exploit the flaw without user interaction. Successful exploitation allows the attacker to execute arbitrary code on the target system, resulting in full compromise across confidentiality, integrity, and availability boundaries.

SAP security advisories, including note 3685286 and the December 2025 patch day release, address remediation through corresponding software updates. Organizations should apply the patches referenced in these materials to eliminate the deserialization issue.

The associated EPSS score remains flat at 0.0198 with no material increase observed since disclosure.

EU & UK References

Vulnerability details

Under certain conditions, a high privileged user could exploit a deserialization vulnerability in SAP jConnect to launch remote code execution. The system may be vulnerable when specially crafted input is used to exploit the vulnerability resulting in high impact on…

more

confidentiality, integrity and availability of the system.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Deserialization vulnerability (CWE-502) exploited remotely by high-privileged user for RCE with scope change, directly enabling Exploitation of Remote Services (T1210) and Exploitation for Privilege Escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3357Shared CWE-502
CVE-2026-27172Shared CWE-502
CVE-2025-66524Shared CWE-502
CVE-2025-69276Shared CWE-502
CVE-2025-62420Shared CWE-502
CVE-2024-57766Shared CWE-502
CVE-2026-40858Shared CWE-502
CVE-2026-35337Shared CWE-502
CVE-2025-27816Shared CWE-502
CVE-2026-37552Shared CWE-502

Affected Assets

Sap
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely flaw remediation through patching, directly addressing the deserialization vulnerability in SAP jConnect as recommended in SAP security notes.

prevent

SI-10 enforces validation of information inputs, preventing exploitation via specially crafted input that triggers the deserialization leading to RCE.

prevent

AC-6 enforces least privilege, reducing the attack surface by limiting high-privileged user accounts (PR:H) capable of exploiting the vulnerability.

References