CVE-2025-42908

Summary

Due to a Cross-Site Request Forgery (CSRF) vulnerability in SAP NetWeaver Application Server for ABAP, an authenticated attacker could initiate transactions directly via the session manager, bypassing the first transaction screen and the associated authorization check. This vulnerability could allow the attacker to perform actions and execute transactions that would normally require specific permissions, compromising the integrity and confidentiality of the system by enabling unauthorized access to restricted functionality. There is no impact to availability from this vulnerability.

Affected Software

VendorProductVersion RangeStatus
SAP_SESAP NetWeaver Application Server for ABAPKRNL64UC 7.53affected
SAP_SESAP NetWeaver Application Server for ABAPKERNEL 7.53affected
SAP_SESAP NetWeaver Application Server for ABAP7.54affected
SAP_SESAP NetWeaver Application Server for ABAP7.77affected
SAP_SESAP NetWeaver Application Server for ABAP7.89affected
SAP_SESAP NetWeaver Application Server for ABAP7.93affected
SAP_SESAP NetWeaver Application Server for ABAP9.16affected

Weaknesses

  • CWE-352: CWE-352: Cross-Site Request Forgery

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References