CVE-2025-42948

Vulnerability

Overview

CVE-2025-42948 describes a cross-site scripting (XSS) vulnerability in SAP NetWeaver ABAP Platform. The root cause is improper sanitization of user input during page generation. An unauthenticated attacker can craft a malicious link and make it publicly accessible [1].

Exploit

Prerequisites

The attack chain requires an authenticated SAP NetWeaver user to click on the crafted link. No authentication is needed for the attacker, but the victim must be logged into the platform. The injected input is processed during the server-side page generation, leading to the creation of malicious content that executes in the victim's browser [1].

Impact

If exploited successfully, the attacker gains the ability to access or modify information within the scope of the victim's browser session. This could include viewing, changing, or exfiltrating data visible to the authenticated user, potentially leading to further compromise [1].

Mitigation

SAP recommends applying the security notes released on the SAP Security Patch Day, which contain corrections for this vulnerability. Administrators should prioritize implementing these fixes for installations under mainstream or extended maintenance [1].