CVE-2025-23186

Summary

In certain conditions, SAP NetWeaver Application Server ABAP allows an authenticated attacker to craft a Remote Function Call (RFC) request to restricted destinations, which can be used to expose credentials for a remote service. These credentials can then be further exploited to completely compromise the remote service, potentially resulting in a significant impact on the confidentiality, integrity, and availability of the application.

Affected Software

VendorProductVersion RangeStatus
SAP_SESAP NetWeaver Application Server ABAPKRNL64NUC 7.22affected
SAP_SESAP NetWeaver Application Server ABAP7.22EXTaffected
SAP_SESAP NetWeaver Application Server ABAPKRNL64UC 7.22affected
SAP_SESAP NetWeaver Application Server ABAP7.53affected
SAP_SESAP NetWeaver Application Server ABAPKERNEL 7.22affected
SAP_SESAP NetWeaver Application Server ABAP7.54affected
SAP_SESAP NetWeaver Application Server ABAP7.77affected
SAP_SESAP NetWeaver Application Server ABAP7.89affected
SAP_SESAP NetWeaver Application Server ABAP7.93affected

Weaknesses

  • CWE-94: CWE-94: Improper Control of Generation of Code ('Code Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References