CVE-2025-42936 — Incorrect Privilege Assignment in SE SAP Netweaver Application Server FOR Abap

CWE-266 — Incorrect Privilege Assignment3 documents3 sources

Severity

5.4MEDIUMNVD

EPSS

0.0%

top 89.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Netweaver Application Server FOR Abap SAP Basis

Timeline

PublishedAug 12

Description

The SAP NetWeaver Application Server for ABAP does not enable an administrator to assign distinguished authorizations for different user roles, this issue allows authenticated users to access restricted objects in the barcode interface, leading to privilege escalation. This results in a low impact on the confidentiality and integrity of the application, there is no impact on availability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages2 packages

▶CVEListV5sap_se/sap_netweaver_application_server_for_abap15 versions+14

▶NVDsap/sap_basis15 versions+14

Patches

Patch: url.sap ↗

🔴Vulnerability Details

CVEList

Missing Authorization check in SAP NetWeaver Application Server for ABAP↗2025-08-12

▶

GHSA

GHSA-x5gw-xjgf-g6gh: The SAP NetWeaver Application Server for ABAP does not enable an administrator to assign distinguished authorizations for different user roles, this i↗2025-08-12

▶