CVE-2025-42908Cross-Site Request Forgery in SE SAP Netweaver Application Server FOR Abap

CWE-352Cross-Site Request Forgery3 documents3 sources
Severity
5.4MEDIUMNVD
EPSS
0.0%
top 94.60%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
SAP SE SAP Netweaver Application Server FOR Abap
Timeline
PublishedOct 14

Description

Due to a Cross-Site Request Forgery (CSRF) vulnerability in SAP NetWeaver Application Server for ABAP, an authenticated attacker could initiate transactions directly via the session manager, bypassing the first transaction screen and the associated authorization check. This vulnerability could allow the attacker to perform actions and execute transactions that would normally require specific permissions, compromising the integrity and confidentiality of the system by enabling unauthorized access

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages1 packages

🔴Vulnerability Details

2
GHSA
GHSA-37rg-fg68-qv29: Due to a Cross-Site Request Forgery (CSRF) vulnerability in SAP NetWeaver Application Server for ABAP, an authenticated attacker could initiate transa2025-10-14
CVEList
Cross-Site Request Forgery (CSRF) vulnerability in SAP NetWeaver Application Server for ABAP2025-10-14
CVE-2025-42908 — Cross-Site Request Forgery | cvebase