CVE-2025-42949

Vulnerability

Overview

CVE-2025-42949 is a missing authorization check in the SAP ABAP Platform. The SQL Console does not properly verify whether the authenticated user has the necessary rights to access and read specific database tables, allowing a user who already holds elevated privileges to exceed their intended authorization scope. The root cause is an insufficient permission validation before executing SQL queries via the console interface.

Exploitation

To exploit this vulnerability, an attacker must be an authenticated user with elevated privileges on the SAP system. The attack vector is network-based, requires low attack complexity, and no user interaction. Leveraging the SQL Console, the attacker can issue direct database queries. The missing authorization check means the system will not enforce table-level access restrictions that normally apply to ABAP transactions, effectively bypassing the intended security model. No special privileges beyond already being an authenticated elevated user are needed.

Impact

Successful exploitation leads to unauthorized reading of any database table on the system. This directly compromises data confidentiality, as the attacker can extract sensitive information stored in the database. The CVSS v3 score of 4.9 (Medium) reflects this confidentiality impact, while integrity and availability remain unaffected. The impact is limited to data exposure; the attacker cannot modify or delete data.

Mitigation

SAP has released a security patch for this issue as part of its monthly Security Patch Day. Administrators are strongly advised to apply the relevant SAP Security Note for ABAP Platform to correct the missing authorization check. No workarounds are currently documented; patching is the recommended mitigation. This CVE is not yet listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.

[1]