CVE-2025-42874
📋 TL;DR
CVE-2025-42874 is a remote code execution vulnerability in SAP NetWeaver's Xcelsius remote service that allows attackers with network access and high privileges to execute arbitrary code without user interaction. This affects organizations running vulnerable SAP NetWeaver installations and could lead to service disruption or complete system compromise. The vulnerability stems from insufficient input validation in remote method calls.
💻 Affected Systems
- SAP NetWeaver with Xcelsius remote service
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover allowing attacker to install persistent backdoors, disrupt critical business operations, and potentially pivot to other systems in the network.
Likely Case
Service disruption through arbitrary code execution, potentially leading to business process interruption and data integrity issues.
If Mitigated
Limited impact if proper network segmentation and privilege controls are in place, potentially only affecting isolated components.
🎯 Exploit Status
Exploitation requires high privileges but no user interaction. The vulnerability is in remote method calls with insufficient input validation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check SAP Note 3640185 for specific patch versions
Vendor Advisory: https://me.sap.com/notes/3640185
Restart Required: Yes
Instructions:
1. Review SAP Note 3640185 for exact patch details. 2. Apply the SAP Security Patch from the monthly patch day. 3. Restart affected SAP services. 4. Verify the patch was applied successfully.
🔧 Temporary Workarounds
Network Segmentation
allRestrict network access to SAP NetWeaver Xcelsius remote service to only trusted sources
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="TRUSTED_IP_RANGE" port protocol="tcp" port="SAP_PORT" accept'
netsh advfirewall firewall add rule name="SAP_Xcelsius_Access" dir=in action=allow protocol=TCP localport=SAP_PORT remoteip=TRUSTED_IP_RANGE
Disable Xcelsius Remote Service
allTemporarily disable the vulnerable Xcelsius remote service if not required
Check SAP documentation for service-specific disable commands
🧯 If You Can't Patch
- Implement strict network access controls to limit exposure to only necessary systems
- Apply principle of least privilege to SAP user accounts and monitor for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check SAP system version and compare against affected versions in SAP Note 3640185. Verify if Xcelsius remote service is enabled.Check Version:
SAP transaction SM51 or systeminfo command on OS level for SAP versionVerify Fix Applied:
Verify patch application through SAP transaction SPAM or by checking system version. Confirm Xcelsius remote service behavior is corrected.📡 Detection & Monitoring
Log Indicators:
- Unusual remote method calls to Xcelsius service
- Failed authentication attempts followed by successful high-privilege access
- Unexpected process execution from SAP services
Network Indicators:
- Unusual traffic patterns to SAP Xcelsius service ports
- Suspicious remote method invocation patterns
SIEM Query:
source="sap_audit_logs" AND (event_type="remote_method_call" AND service="Xcelsius" AND result="success") AND user_privilege="high"