CVE-2025-42928
Published: 09 December 2025
Summary
CVE-2025-42928 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Sap (inferred from references). Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 16.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-42928 is a deserialization vulnerability, tracked under CWE-502, that affects SAP jConnect. Under certain conditions, specially crafted input can be supplied to the component, enabling remote code execution with high impact on the confidentiality, integrity, and availability of the affected system. The vulnerability carries a CVSS 3.1 score of 9.1.
A high-privileged user with network access can exploit the flaw without user interaction. Successful exploitation allows the attacker to execute arbitrary code on the target system, resulting in full compromise across confidentiality, integrity, and availability boundaries.
SAP security advisories, including note 3685286 and the December 2025 patch day release, address remediation through corresponding software updates. Organizations should apply the patches referenced in these materials to eliminate the deserialization issue.
The associated EPSS score remains flat at 0.0198 with no material increase observed since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-201844
Vulnerability details
Under certain conditions, a high privileged user could exploit a deserialization vulnerability in SAP jConnect to launch remote code execution. The system may be vulnerable when specially crafted input is used to exploit the vulnerability resulting in high impact on…
more
confidentiality, integrity and availability of the system.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Deserialization vulnerability (CWE-502) exploited remotely by high-privileged user for RCE with scope change, directly enabling Exploitation of Remote Services (T1210) and Exploitation for Privilege Escalation (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely flaw remediation through patching, directly addressing the deserialization vulnerability in SAP jConnect as recommended in SAP security notes.
SI-10 enforces validation of information inputs, preventing exploitation via specially crafted input that triggers the deserialization leading to RCE.
AC-6 enforces least privilege, reducing the attack surface by limiting high-privileged user accounts (PR:H) capable of exploiting the vulnerability.