CVE-2025-42961

CVE-2025-42961 describes a missing authorization check in SAP NetWeaver Application Server for ABAP. The root cause is insufficient validation of user permissions, allowing an authenticated user with high privileges to bypass access controls and read sensitive database tables. This vulnerability stems from overly permissive access configurations that fail to enforce proper authorization boundaries.

To exploit this flaw, an attacker must be an authenticated user with high privileges on the SAP system. No additional network access beyond normal authenticated sessions is required. The attacker leverages the insufficient permission validation to query database tables that should be restricted, effectively reading confidential data without authorization.

The impact is limited to confidentiality; the attacker can read critical information stored in the database, but cannot modify data or disrupt system availability. This could lead to exposure of sensitive business data, intellectual property, or personal information, depending on the tables accessed.

SAP has addressed this vulnerability through its regular Security Patch Day process [1]. Administrators are advised to apply the relevant SAP Security Notes as soon as possible to mitigate the risk. The patch corrects the authorization check to ensure only properly authorized users can access sensitive tables.