CVE-2025-42986

Summary

Due to a missing authorization check in an obsolete RFC enabled function module in SAP BASIS, an authenticated low-privileged attacker could call a Remote Function Call (RFC), potentially accessing restricted system information. This results in low impact on confidentiality, with no impact on integrity or availability of the application.

Affected Software

VendorProductVersion RangeStatus
SAP_SESAP NetWeaver and ABAP PlatformSAP_BASIS 700affected
SAP_SESAP NetWeaver and ABAP PlatformSAP_BASIS 701affected
SAP_SESAP NetWeaver and ABAP PlatformSAP_BASIS 702affected
SAP_SESAP NetWeaver and ABAP PlatformSAP_BASIS 731affected
SAP_SESAP NetWeaver and ABAP PlatformSAP_BASIS 740affected
SAP_SESAP NetWeaver and ABAP PlatformSAP_BASIS 750affected
SAP_SESAP NetWeaver and ABAP PlatformSAP_BASIS 751affected
SAP_SESAP NetWeaver and ABAP PlatformSAP_BASIS 752affected
SAP_SESAP NetWeaver and ABAP PlatformSAP_BASIS 753affected
SAP_SESAP NetWeaver and ABAP PlatformSAP_BASIS 754affected

Weaknesses

  • CWE-862: CWE-862: Missing Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References