CVE-2025-42923

Vulnerability

Description

CVE-2025-42923 describes a cross-site request forgery (CSRF) vulnerability in the SAP Fiori App Manage Work Center Groups. The application fails to implement adequate CSRF protection mechanisms, such as anti-CSRF tokens or proper validation of request origins, allowing an attacker to induce an authenticated user to perform unintended actions on the web server.

Exploitation

Conditions

To exploit this vulnerability, an attacker must trick an authenticated user into interacting with a malicious link or visiting a crafted webpage while logged into the application. No additional privileges are required beyond the user's existing session. The attack can be performed remotely over the network, but it relies on social engineering to succeed.

Impact

Successful exploitation has a low impact on integrity, meaning an attacker could modify data or settings within the Manage Work Center Groups function. There is no impact on confidentiality or availability of the application. The CVSS v3 base score is 4.3 (Medium), reflecting the limited consequences and the need for user interaction.

Mitigation

SAP has addressed this vulnerability in their monthly Security Patch Day releases. Organizations should apply the relevant SAP Security Notes as recommended by SAP [1]. No workarounds are currently available, so updating to the patched version is the primary mitigation.