CVE-2025-42959

Summary

An unauthenticated attacker may exploit a scenario where a Hashed Message Authentication Code (HMAC) credential, extracted from a system missing specific security patches, is reused in a replay attack against a different system. Even if the target system is fully patched, successful exploitation could result in complete system compromise, affecting confidentiality, integrity, and availability.

Affected Software

VendorProductVersion RangeStatus
SAP_SESAP NetWeaver ABAP Server and ABAP PlatformSAP_BASIS 700affected
SAP_SESAP NetWeaver ABAP Server and ABAP PlatformSAP_BASIS 701affected
SAP_SESAP NetWeaver ABAP Server and ABAP PlatformSAP_BASIS 702affected
SAP_SESAP NetWeaver ABAP Server and ABAP PlatformSAP_BASIS 731affected
SAP_SESAP NetWeaver ABAP Server and ABAP PlatformSAP_BASIS 740affected
SAP_SESAP NetWeaver ABAP Server and ABAP PlatformSAP_BASIS 750affected
SAP_SESAP NetWeaver ABAP Server and ABAP PlatformSAP_BASIS 751affected
SAP_SESAP NetWeaver ABAP Server and ABAP PlatformSAP_BASIS 752affected
SAP_SESAP NetWeaver ABAP Server and ABAP PlatformSAP_BASIS 753affected
SAP_SESAP NetWeaver ABAP Server and ABAP PlatformSAP_BASIS 754affected
SAP_SESAP NetWeaver ABAP Server and ABAP PlatformSAP_BASIS 755affected
SAP_SESAP NetWeaver ABAP Server and ABAP PlatformSAP_BASIS 756affected
SAP_SESAP NetWeaver ABAP Server and ABAP PlatformSAP_BASIS 757affected
SAP_SESAP NetWeaver ABAP Server and ABAP PlatformSAP_BASIS 758affected
SAP_SESAP NetWeaver ABAP Server and ABAP PlatformSAP_BASIS 914affected
SAP_SESAP NetWeaver ABAP Server and ABAP PlatformSAP_BASIS 915affected

Weaknesses

  • CWE-308: CWE-308: Use of Single-factor Authentication

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References