CVE-2025-27437

Vulnerability

The vulnerability lies in the Virus Scanner Interface of SAP NetWeaver Application Server ABAP. A missing authorization check allows an authenticated attacker who holds only a non-administrative role to initiate a transaction that should require higher privileges [1]. The root cause is the absence of proper access control enforcement at the point of entry, meaning the system does not verify whether the user has the required authorization to perform the operation.

Exploitation

An attacker must be authenticated as a standard user (not an administrator) to exploit this flaw. No special network access or prior knowledge is needed beyond valid credentials for a low-privileged account. The attacker can trigger the vulnerable transaction remotely, leveraging the missing check to gain access to resources that are ordinarily restricted [1].

Impact

A successful exploitation results in unauthorized access to non-sensitive data. The attacker can view information but cannot modify it, and the vulnerability has no effect on system availability or integrity of data. While the exposed data is classified as non-sensitive, its exposure still violates the principle of least privilege and could aid in further attacks or information gathering [1].

Mitigation

SAP has released a security note as part of its regular Patch Day to address this issue [1]. All customers running affected versions of SAP NetWeaver Application Server ABAP are strongly advised to apply the provided patch promptly. No workarounds have been published, so updating is the only recommended mitigation.