CVE-2025-42970

Vulnerability

Analysis

CVE-2025-42970 describes a directory traversal vulnerability in SAPCAR, SAP's archive extraction tool. The root cause is improper sanitization of file paths when processing SAPCAR archives. An attacker can craft a malicious SAPCAR archive containing directory traversal sequences (e.g., using relative paths like "../"). When a victim with high privileges extracts this archive using SAPCAR, the tool follows the traversal sequences and extracts files outside the intended target directory [1].

Exploitation

The attack requires the victim to manually extract the malicious archive, typically via SAPCAR command or automated processes. No authentication is needed from the attacker beyond crafting the archive, but the victim must have high privileges for the full impact. The attacker delivers the archive through social engineering or by compromising a distribution channel. Once the victim initiates extraction, SAPCAR processes the malicious paths without proper validation, leading to file overwrite in arbitrary locations [1].

Impact

Successful exploitation results in overwriting files on the system where SAPCAR runs. This has a high impact on integrity (unauthorized modification of files) and availability (potential system instability if critical files are corrupted). Confidentiality is not affected as the vulnerability does not allow reading files. The CVSS v3 base score is 5.8 (Medium), reflecting the need for user interaction and high privileges [1].

Mitigation

SAP addresses vulnerabilities through regular Security Patch Days, where security notes are published with fixes. Users should apply the relevant SAP Security Note for this CVE, obtainable from SAP for Me. For systems under maintenance, SAP provides corrections for supported versions. It is recommended to prioritize implementing these fixes to prevent exploitation [1].