CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-42989: Missing Authorization check in SAP NetWeaver Application Server for ABAP

9.6 CVSS

Description

RFC inbound processing�does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. On successful exploitation the attacker could critically impact both integrity and availability of the application.

Classification

CVE ID: CVE-2025-42989

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.6

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H

Problem Types

CWE-862: Missing Authorization

Affected Products

Vendor: SAP_SE

Product: SAP NetWeaver Application Server for ABAP

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 9.91% (scored less or equal to compared to others)

EPSS Date: 2025-06-13 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-42989
https://me.sap.com/notes/3600840
https://url.sap/sapsecuritypatchday

Timeline

2025-06-10 03:40:14 UTC
CVE

Missing Authorization check in SAP NetWeaver Application Server for ABAP