CSRF Vulnerability in SAP NetWeaver Application Server for ABAP
CVE-2025-42908

5.4MEDIUM

Key Information:

Vendor: SAP
Status: SAP Netweaver Application Server For Abap
Vendor: CVE Published:; 14 October 2025

What is CVE-2025-42908?

A Cross-Site Request Forgery (CSRF) vulnerability in the SAP NetWeaver Application Server for ABAP allows authenticated attackers to craft requests that can bypass critical transaction authorization checks. By exploiting this vulnerability, attackers can initiate transactions directly through the session manager, gaining access to restricted functionalities without proper permissions. This could jeopardize the integrity and confidentiality of sensitive data while having no direct impact on system availability.

Affected Version(s)

SAP NetWeaver Application Server for ABAP KRNL64UC 7.53

SAP NetWeaver Application Server for ABAP KERNEL 7.53

SAP NetWeaver Application Server for ABAP 7.54

References

https://me.sap.com/notes/3642021

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 14, 2025
Vulnerability Reserved
Apr 16, 2025

JSON