CVE-2025-42927

The vulnerability resides in SAP NetWeaver AS Java's Adobe Document Service, which is shipped with an outdated version of the OpenSSL library. The root cause is the failure to update or replace the bundled OpenSSL, leaving known weaknesses present in that library version exploitable within the context of the service.

Exploitation requires the attacker to already possess high system privileges (e.g., administrative access). No network-level or user-interaction precondition is described beyond that privilege requirement. The attack surface is therefore limited to users who already have elevated rights on the affected system.

Successful exploitation could allow an attacker with those high privileges to read or modify system information that the Adobe Document Service processes through the outdated OpenSSL. The impact is rated low for both confidentiality and integrity, and there is no impact on availability.

SAP has not yet released a dedicated security note for this specific CVE as of the publication date, but the vendor's standard patch day process applies. Users should monitor SAP Security Notes and apply any relevant updates for the Adobe Document Service and the bundled OpenSSL library as they become available. Because the CVSS score is low, the fix may be delivered in the next support package rather than an out-of-band patch.

[1]