CVE-2025-42895: Code Loading in SAP HANA JDBC Client

An attacker exploiting CVE-2025-42895 could leverage their high-privilege local access to craft malicious connection property parameters. These parameters, due to the lack of proper validation, could be used to load arbitrary code into the SAP HANA JDBC Client process. Successful exploitation could lead to a denial-of-service (DoS) condition, rendering the application unavailable. While the direct impact on confidentiality and integrity is considered low, the ability to execute code within the client process opens the door to further attacks, potentially allowing an attacker to escalate privileges or exfiltrate sensitive data stored within the SAP HANA database. The blast radius extends to any application relying on the vulnerable JDBC client to connect to the SAP HANA database.

1. आरक्षित2025-04-16
2. प्रकाशित2025-11-11
3. संशोधित2025-11-12
4. EPSS अद्यतन2026-03-23

The primary mitigation for CVE-2025-42895 is to upgrade the SAP HANA JDBC Client to version 2.0.1 or later. If an immediate upgrade is not feasible, consider implementing stricter access controls to limit the privileges of local users. Review and restrict connection property configurations to prevent the injection of malicious parameters. While a direct WAF rule is unlikely to be effective, monitoring network traffic for unusual connection attempts or code loading activity could provide early warning signs. After upgrading, confirm the fix by attempting to establish a connection with crafted parameters known to trigger the vulnerability; the connection should fail with an appropriate error message.