CVE-2025-42908

Vulnerability

Overview

CVE-2025-42908 is a Cross-Site Request Forgery (CSRF) vulnerability in SAP NetWeaver Application Server for ABAP. The root cause lies in the session manager's handling of transaction initiation; an authenticated attacker can craft a request that bypasses the first transaction screen and its associated authorization check. This bypass allows the attacker to directly initiate transactions intended to be protected by permission controls [1].

Exploitation

Prerequisites

Exploitation requires that the attacker is already authenticated to the SAP system. The attack is performed by persuading an authenticated user (or using another session) to follow a malicious link or visit a crafted page that triggers a cross-origin request. No additional authentication is needed for the target transaction because the legitimate session's cookies are used, but the authorization check normally performed at the first screen is skipped. This makes the attack relatively simple for an authenticated adversary with network access to the SAP application [1].

Impact

Successful exploitation allows the attacker to execute transactions and perform actions that would normally require specific permissions. This can lead to unauthorized access to restricted functionality, potentially compromising the integrity and confidentiality of the system. The impact is limited to confidentiality and integrity; there is no impact on availability [1].

Mitigation

SAP has addressed this vulnerability in its regular Security Patch Day release. Organizations running SAP NetWeaver AS ABAP should apply the relevant security note as soon as possible. The affected versions are supported under SAP's maintenance strategy, and patches are available through SAP for Me [1].