CVE-2025-42882

Vulnerability

Overview CVE-2025-42882 is a missing authorization check vulnerability in SAP NetWeaver Application Server for ABAP. The flaw allows an authenticated attacker with basic privileges to execute a specific function module that retrieves restricted technical information from the system. The root cause is the absence of proper authorization validation for this function module, enabling unauthorized access to environment details.

Exploitation

An attacker must be authenticated to the SAP system and possess basic user privileges. No special network position or additional authentication is required beyond the initial session. The attacker can directly invoke the vulnerable function module to extract sensitive technical data, such as system configuration or internal details.

Impact

Successful exploitation results in the disclosure of restricted technical information, which has a low impact on confidentiality. The vulnerability does not affect the integrity or availability of the application. However, the leaked information could assist the attacker in planning subsequent, more severe attacks against the system.

Mitigation

SAP has addressed this vulnerability through its regular Security Patch Day process [1]. Customers are advised to apply the relevant SAP Security Note as soon as possible. The fix is included in the latest support packages for affected versions under mainstream and extended maintenance.