SecuriTricks - CVE-2025-42908

Description

Due to a Cross-Site Request Forgery (CSRF) vulnerability in SAP NetWeaver Application Server for ABAP, an authenticated attacker could initiate transactions directly via the session manager, bypassing the first transaction screen and the associated authorization check. This vulnerability could allow the attacker to perform actions and execute transactions that would normally require specific permissions, compromising the integrity and confidentiality of the system by enabling unauthorized access to restricted functionality. There is no impact to availability from this vulnerability.

Product(s) Impacted

Vendor	Product	Versions
Sap	Sap Netweaver Application Server For Abap	*

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-352

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	sap	sap_netweaver_application_server_for_abap	/	/	/	/	/	/	/	/

References

https://me.sap.com/notes/3642021

https://url.sap/sapsecuritypatchday

CVSS Score

5.4 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: LOW
Scope: UNCHANGED
Confidentiality Impact: LOW
Integrity Impact: LOW
Availability Impact: NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

View Vector String

Timeline

Published: Oct. 14, 2025, 1:15 a.m.
Last Modified: Oct. 14, 2025, 7:36 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

cna@sap.com

CVE-2025-42908