Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-42874

CVE-2025-42874: SAP NetWeaver Xcelsius RCE Vulnerability

CVE-2025-42874 is a remote code execution flaw in SAP NetWeaver Xcelsius that enables attackers with high privileges to run arbitrary code due to insufficient input validation. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-42874 Overview

CVE-2025-42874 affects the SAP NetWeaver remote service for Xcelsius. The vulnerability allows an authenticated attacker with high privileges and network access to execute arbitrary code on the affected system. The flaw stems from insufficient input validation and improper handling of remote method calls. Exploitation requires no user interaction and can result in service disruption or unauthorized system control. The weakness is categorized under [CWE-405] (asymmetric resource consumption). The vulnerability has high impact on integrity and availability, with low impact on confidentiality. SAP published the issue on December 9, 2025, as part of its monthly Security Patch Day.

Critical Impact

Authenticated attackers can execute arbitrary code over the network, leading to integrity loss, system control, and denial of service on SAP NetWeaver hosts running the Xcelsius remote service.

Affected Products

  • SAP NetWeaver remote service for Xcelsius
  • SAP BusinessObjects components leveraging the Xcelsius remote interface
  • Refer to SAP Note #3640185 for the authoritative list of affected releases

Discovery Timeline

  • 2025-12-09 - CVE-2025-42874 published to NVD and disclosed on SAP Security Patch Day
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-42874

Vulnerability Analysis

The vulnerability resides in the SAP NetWeaver remote service that supports Xcelsius dashboard functionality. The service accepts remote method invocations over the network but fails to properly validate inputs before processing them. An authenticated attacker with high privileges can craft malicious remote method calls that the service deserializes or dispatches without sufficient sanitization. The resulting arbitrary code execution runs in the context of the SAP service account. Because the scope is changed per the advisory, the impact extends beyond the vulnerable component into adjacent system resources. The flaw maps to [CWE-405], reflecting improper handling of resource consumption and method dispatch logic within the remote service handler.

Root Cause

The root cause is insufficient input validation combined with improper handling of remote method calls in the Xcelsius remote service handler. The service trusts the structure and content of incoming method requests, allowing attacker-supplied data to influence execution paths. Without strict type checking and sanitization, crafted payloads can trigger arbitrary code execution on the SAP NetWeaver host.

Attack Vector

The attack vector is network-based but requires high privileges and high attack complexity. An attacker must already possess valid high-privileged credentials to authenticate to the SAP NetWeaver instance. Once authenticated, the attacker sends crafted remote method invocations to the Xcelsius service endpoint. No user interaction is required. Successful exploitation grants the attacker the ability to execute code, disrupt the service, or take unauthorized control of the system.

No public proof-of-concept code is available for CVE-2025-42874 at the time of writing. SAP has not released technical exploitation details. See SAP Note #3640185 for vendor-supplied technical guidance.

Detection Methods for CVE-2025-42874

Indicators of Compromise

  • Unexpected child processes spawned by SAP NetWeaver service accounts following remote method invocations to the Xcelsius endpoint
  • Anomalous outbound network connections originating from the SAP NetWeaver host shortly after Xcelsius service activity
  • Unusual entries in SAP NetWeaver application logs referencing malformed or oversized remote method payloads targeting Xcelsius
  • Creation or modification of files in SAP installation directories by the service account without a corresponding administrative change

Detection Strategies

  • Monitor SAP NetWeaver audit logs (SM19/SM20) for high-privilege authentication events followed by Xcelsius service calls
  • Inspect network telemetry for connections to Xcelsius remote service ports from non-administrative source hosts
  • Baseline normal remote method invocation patterns and alert on deviations such as unexpected method names or argument sizes
  • Correlate process execution telemetry from the SAP host with remote method call timestamps to surface code execution attempts

Monitoring Recommendations

  • Forward SAP NetWeaver security audit logs, OS-level process telemetry, and network flow data to a centralized SIEM for correlation
  • Alert on any new process executions launched by SAP service accounts that are not part of the documented application baseline
  • Track privileged account usage on SAP systems and flag logins from unusual source IPs or at atypical times
  • Review SAP Solution Manager and EarlyWatch reports regularly for indicators of unpatched components

How to Mitigate CVE-2025-42874

Immediate Actions Required

  • Apply the SAP security patch referenced in SAP Note #3640185 without delay
  • Inventory all SAP NetWeaver installations and identify systems exposing the Xcelsius remote service
  • Restrict network access to the Xcelsius remote service endpoint to trusted administrative hosts only
  • Audit high-privileged SAP accounts and rotate credentials suspected of exposure

Patch Information

SAP released a fix as part of its December 2025 Security Patch Day. Administrators should consult SAP Note #3640185 for the specific support package and patch level required for each affected release. Additional context is available on the SAP Security Patch Day portal.

Workarounds

  • Disable the Xcelsius remote service on systems where dashboard functionality is not required
  • Place SAP NetWeaver application servers behind a segmented network zone with strict ingress filtering
  • Enforce multi-factor authentication for all high-privileged SAP user accounts to raise the bar for the precondition of exploitation
  • Limit the number of accounts holding administrative authorizations within SAP NetWeaver
bash
# Example: restrict access to the Xcelsius remote service port at the host firewall
# Replace <PORT> with the configured Xcelsius service port and <ADMIN_SUBNET> with the trusted range
iptables -A INPUT -p tcp --dport <PORT> -s <ADMIN_SUBNET> -j ACCEPT
iptables -A INPUT -p tcp --dport <PORT> -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne