Information Disclosure Vulnerability in SAP Application Server ABAP
CVE-2025-42904

6.5MEDIUM

Key Information:

Vendor: SAP
Status: Application Server Abap
Vendor: CVE Published:; 9 December 2025

What is CVE-2025-42904?

An information disclosure vulnerability resides in SAP's Application Server ABAP, allowing authenticated attackers to view sensitive unmasked data presented in ABAP Lists. Exploiting this flaw may lead to unauthorized exposure of confidential information, thereby compromising user privacy. Remediation is essential to prevent potential data breaches and safeguard sensitive data.

Affected Version(s)

Application Server ABAP KRNL64UC 7.53

Application Server ABAP KERNEL 7.53

Application Server ABAP 7.54

References

https://me.sap.com/notes/3662324

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 9, 2025
Vulnerability Reserved
Apr 16, 2025

JSON