Unauthorized Access Vulnerability in SAP Applications
CVE-2025-42989

9.6CRITICAL

Key Information:

Vendor: SAP
Status: SAP Netweaver Application Server For Abap
Vendor: CVE Published:; 10 June 2025

What is CVE-2025-42989?

This vulnerability involves inadequate authorization checks during RFC inbound processing for authenticated users in SAP applications. An attacker could exploit this weakness to gain elevated privileges, which may lead to significant impacts on the integrity and availability of the application. Organizations using affected SAP products should review their security measures and apply appropriate patches to mitigate this risk.

Affected Version(s)

SAP NetWeaver Application Server for ABAP KERNEL 7.89

SAP NetWeaver Application Server for ABAP 7.93

SAP NetWeaver Application Server for ABAP 9.14

References

https://me.sap.com/notes/3600840

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 10, 2025
Vulnerability Reserved
Apr 16, 2025