CVE-2025-42989 PUBLISHED

Missing Authorization check in SAP NetWeaver Application Server for ABAP

Assigner: sap
Reserved: 16.04.2025 Published: 10.06.2025 Updated: 11.06.2025

RFC inbound processing�does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. On successful exploitation the attacker could critically impact both integrity and availability of the application.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H
CVSS Score: 9.6

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	SAP_SE
Product	SAP NetWeaver Application Server for ABAP
Versions	Default: unaffected Version KERNEL 7.89 is affected Version 7.93 is affected Version 9.14 is affected Version 9.15 is affected

References

https://me.sap.com/notes/3600840
https://url.sap/sapsecuritypatchday

CVE-2025-42989 PUBLISHED

Missing Authorization check in SAP NetWeaver Application Server for ABAP

Metrics

Product Status

References

Problem Types