CVE-2025-42938

Vulnerability

Overview

CVE-2025-42938 is a Cross-Site Scripting (XSS) vulnerability in the SAP NetWeaver ABAP Platform. The root cause lies in insufficient sanitization of user-supplied input during page generation. An unauthenticated attacker can create a malicious link and make it publicly accessible; when an authenticated user clicks the link, the injected script is processed and rendered by the application [1].

Exploitation

Prerequisites

No authentication is required to generate the malicious link, but the victim must be an authenticated user of the SAP system. The attack is delivered via a crafted URL, and the injected content becomes part of the victim's browser executes within the context of the vulnerable application. The vulnerability does not require any special network position beyond standard web access [1].

Impact

Successful exploitation allows the attacker to access or modify information within the victim's browser scope. This directly impacts the confidentiality and integrity of data visible to the victim, while availability remains unaffected. The attacker could potentially steal session tokens, perform actions on behalf of the victim, or deface the application interface [1].

Mitigation

SAP has released security patches as part of its monthly Security Patch Day. Customers are strongly advised to apply the relevant SAP Security Notes for CVE-2025-42938. No workarounds are mentioned in the available references; patching is the recommended course of action [1].