CVE-2025-42891

CVE-2025-42891 is a missing authorization check vulnerability in SAP Enterprise Search for ABAP. An attacker with high privileges can exploit this flaw to read and export the contents of database tables into an ABAP report, bypassing intended access controls.

Exploitation requires the attacker to already possess high privileges within the SAP system, such as those of an administrator or a user with similar elevated roles. The attack surface is the Enterprise Search functionality, which is designed to index and retrieve data across ABAP systems. No additional user interaction is needed beyond the attacker's own actions.

The primary impact is on data confidentiality, as the attacker can extract sensitive database contents, potentially exposing critical business information. There is also a low impact on data integrity, but no impact on application availability.

SAP has addressed this vulnerability through its regular Security Patch Day process [1]. Administrators are strongly advised to apply the relevant SAP Security Note as soon as possible to mitigate the risk.