CVE-2023-23857
CVE-2023-23857 is a critical-severity vulnerability in Sap Netweaver Application Server For Java with a CVSS 3.x base score of 9.9. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-287.
Key facts
- Severity: Critical (CVSS 3.x base score 9.9)
- EPSS exploit prediction: 1% (42nd percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-287
- Affected product: Sap Netweaver Application Server For Java
- Published:
- Last modified:
Description
Due to missing authentication check, SAP NetWeaver AS for Java - version 7.50, allows an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and services across systems. On a successful exploitation, the attacker can read and modify some sensitive information but can also be used to lock up any element or operation of the system making that it unresponsive or unavailable.
Frequently asked questions
- What is CVE-2023-23857?
- Due to missing authentication check, SAP NetWeaver AS for Java - version 7.50, allows an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and services across systems. On a successful exploitation, the attacker can read and modify some sensitive information but can also be used to lock up any element or operation of the system making that it unresponsive or unavailable.
- How severe is CVE-2023-23857?
- CVE-2023-23857 has a CVSS 3.x base score of 9.9, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is low, integrity low, and availability high.
- Is CVE-2023-23857 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (42nd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2023-23857?
- CVE-2023-23857 affects Sap Netweaver Application Server For Java. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2023-23857?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- When was CVE-2023-23857 published?
- CVE-2023-23857 was published on 2023-03-14 and last updated on 2026-06-17.
References
- https://launchpad.support.sap.com/#/notes/3252433
- https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html
Affected products (1)
- cpe:2.3:a:sap:netweaver_application_server_for_java:7.50:*:*:*:*:*:*:*
More vulnerabilities in Sap Netweaver Application Server For Java
- CVE-2023-0017 — Critical (CVSS 9.4): An unauthenticated attacker in SAP NetWeaver AS for Java - version 7.50, due to improper access control, can attach to…
- CVE-2023-30744 — High (CVSS 8.2): In SAP AS NetWeaver JAVA - versions SERVERCORE 7.50, J2EE-FRMW 7.50, CORE-TOOLS 7.50, an unauthenticated attacker can…
- CVE-2022-27669 — High (CVSS 7.5): An unauthenticated user can use functions of XML Data Archiving Service of SAP NetWeaver Application Server for Java -…
- CVE-2021-27635 — Medium (CVSS 6.5): SAP NetWeaver AS for JAVA, versions - 7.20, 7.30, 7.31, 7.40, 7.50, allows an attacker authenticated as an…
- CVE-2023-31405 — Medium (CVSS 5.3): SAP NetWeaver AS for Java - versions ENGINEAPI 7.50, SERVERCORE 7.50, J2EE-APPS 7.50, allows an unauthenticated…
- CVE-2023-27268 — Medium (CVSS 5.3): SAP NetWeaver AS Java (Object Analyzing Service) - version 7.50, does not perform necessary authorization checks,…
All CVEs affecting Sap Netweaver Application Server For Java →
Other CWE-287 (Improper Authentication) vulnerabilities
- CVE-2026-45480 — Critical (CVSS 10.0): Improper authentication in Azure Active Directory allows an unauthorized attacker to elevate privileges over a network.
- CVE-2026-46389 — Critical (CVSS 10.0): UDS Identity Config builds the Keycloak configuration image (realm, plugins, theme, truststore, JARs) consumed by UDS…
- CVE-2026-10611 — Critical (CVSS 10.0): An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement.…
- CVE-2026-47280 — Critical (CVSS 10.0): Improper authentication in Azure Resource Manager (ARM) allows an unauthorized attacker to elevate privileges over a…
- CVE-2026-42822 — Critical (CVSS 10.0): Improper authentication in Azure Local Disconnected Operations allows an unauthorized attacker to elevate privileges…
- CVE-2026-20182 — Critical (CVSS 10.0): May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and…
Browse all CWE-287 (Improper Authentication) vulnerabilities →