low2026-06-09SAP NetWeaverCVE-2025-68161

Apache Log4j Vulnerability in SAP NetWeaver AS Java UME

SAP NetWeaver Application Server Java (UME — Apache Log4j)

Our Take

Low severity, but Log4j vulnerabilities in SAP components have a notable history. Bundle with other NetWeaver Java notes in the next planned window.

Vulnerability Detail

Apache Log4j vulnerability in the User Management Engine (UME) component of SAP NetWeaver Application Server Java. While low severity in this context, Log4j vulnerabilities in SAP Java components should be addressed as part of routine dependency hygiene.

Patch Action

Apply SAP Note 3726899.

Affected Versions

ENGINEAPI 7.50

Patch Info

CVSS Score

3.3

SAP Note

3726899 ↗

CVE

CVE-2025-68161

Published

2026-06-09

All content is editorial summary, not professional security advice. CVSS scores and SAP Note IDs are factual references. Patch timing is the responsibility of your security team based on your environment and SAP's official guidance.

← All patches