CVE-2025-42895

Vulnerability

Overview

The SAP HANA JDBC Client contains a vulnerability (CVE-2025-42895) due to insufficient validation of connection property values. A high-privilege locally authenticated user can supply crafted parameters that lead to unauthorized code loading. This flaw arises from improper handling of user-supplied input during the JDBC connection setup.

Exploitation

Conditions

Exploitation requires local access to the system running the JDBC client and high privileges (e.g., administrative rights). The attacker crafts specific connection properties that bypass validation, causing the client to load arbitrary code. No network-based attack vector is involved; the attacker must already have a foothold on the machine.

Impact

Successful exploitation results in low impact on confidentiality and integrity, but high impact on availability. This means the attacker could potentially cause a denial of service or disrupt the application's availability, while the risk to data confidentiality and integrity is limited.

Mitigation

SAP has released security patches as part of its regular Security Patch Day [1]. Users should apply the relevant SAP Security Note to remediate the vulnerability. Organizations are advised to follow SAP's patch management guidance and prioritize implementation of this fix.