CVE-2025-42919 is a medium severity vulnerability classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) affecting SAP NetWeaver Application Server Java, specifically versions ENGINEAPI 7.50 and EP-BASIS 7.50. The flaw arises from insufficient validation of URL path components, allowing an unauthenticated attacker to craft requests with arbitrary path traversal sequences. This manipulation enables unauthorized access to internal metadata files that should be restricted, exposing sensitive application metadata. The vulnerability solely impacts confidentiality, as it does not allow modification or disruption of the application server's operations. Exploitation requires no authentication or user interaction and can be performed remotely over the network, increasing the attack surface. Although no exploits have been observed in the wild, the exposure of internal metadata could facilitate further attacks or reconnaissance by adversaries. The CVSS v3.1 base score of 5.3 reflects the moderate risk posed by this vulnerability. SAP customers should monitor for updates and advisories to apply patches promptly once released. In the interim, restricting access to metadata endpoints and implementing web application firewall (WAF) rules to detect and block path traversal attempts can reduce exposure.

For European organizations, the primary impact is the partial compromise of confidentiality due to unauthorized disclosure of sensitive application metadata. This information could include configuration details, internal structures, or other data that may aid attackers in crafting more targeted attacks or gaining deeper insight into the SAP environment. While the vulnerability does not affect system integrity or availability, the leakage of metadata can undermine trust and compliance, especially for organizations handling sensitive or regulated data under GDPR and other privacy frameworks. Industries such as finance, manufacturing, utilities, and public sector entities that heavily rely on SAP NetWeaver Application Server Java are particularly at risk. The ability to exploit this vulnerability without authentication and remotely increases the likelihood of opportunistic scanning and exploitation attempts. Although no known exploits exist currently, the potential for future exploitation necessitates proactive mitigation to prevent data leakage and subsequent attack escalation.

1. Monitor SAP security advisories closely and apply official patches or updates for SAP NetWeaver Application Server Java versions ENGINEAPI 7.50 and EP-BASIS 7.50 as soon as they become available. 2. Implement strict access controls on metadata and internal application endpoints to restrict exposure only to authorized users and systems. 3. Deploy web application firewalls (WAFs) with rules specifically designed to detect and block path traversal and URL manipulation attempts targeting SAP NetWeaver components. 4. Conduct regular security assessments and penetration tests focusing on URL manipulation vulnerabilities and metadata exposure in SAP environments. 5. Review and harden SAP NetWeaver server configurations to minimize unnecessary metadata exposure and disable any debug or development features that could increase risk. 6. Monitor logs for unusual or suspicious URL requests that include path traversal patterns or access attempts to internal metadata files. 7. Educate SAP administrators and security teams about this vulnerability and encourage rapid incident response readiness in case exploitation attempts are detected.