CVE-2025-27428Missing Authorization in SE SAP Netweaver AND Abap Platform

CWE-862Missing Authorization3 documents3 sources
Severity
7.7HIGHNVD
EPSS
0.4%
top 40.14%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
SAP SE SAP Netweaver AND Abap Platform
Timeline
PublishedApr 8

Description

Due to directory traversal vulnerability, an authorized attacker could gain access to some critical information by using RFC enabled function module. Upon successful exploitation, they could read files from any managed system connected to SAP Solution Manager, leading to high impact on confidentiality. There is no impact on integrity or availability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:NExploitability: 3.1 | Impact: 4.0

Affected Packages1 packages

CVEListV5sap_se/sap_netweaver_and_abap_platform2008_1_710, 740, ST-PI 2008_1_700+2

🔴Vulnerability Details

2
GHSA
GHSA-rc4p-33hg-59pr: Due to directory traversal vulnerability, an authorized attacker could gain access to some critical information by using RFC enabled function module2025-04-08
CVEList
Directory Traversal vulnerability in SAP NetWeaver and ABAP Platform (Service Data Collection)2025-04-08
CVE-2025-27428 — Missing Authorization | cvebase