CVE-2025-42943 β€” Execution with Unnecessary Privileges in SE SAP GUI FOR Windows

CWE-250 β€” Execution with Unnecessary Privileges3 documents3 sources
Severity
4.5MEDIUMNVD
EPSS
0.0%
top 88.40%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
SAP SE SAP GUI FOR Windows
Timeline
PublishedAug 12

Description

SAP GUI for Windows may allow the leak of NTML hashes when specific ABAP frontend services are called with UNC paths. For a successful attack, the attacker needs developer authorization in a specific Application Server ABAP to make changes in the code, and the victim needs to execute by using SAP GUI for Windows. This could trigger automatic NTLM authentication, potentially exposing hashed credentials to an attacker. As a result, it has a high impact on the confidentiality.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:NExploitability: 0.9 | Impact: 3.6

Affected Packages1 packages

β–ΆCVEListV5sap_se/sap_gui_for_windowsBC-FES-GUI 8.00

πŸ”΄Vulnerability Details

2
GHSA
GHSA-3wph-gw9m-m3mm: SAP GUI for Windows may allow the leak of NTML hashes when specific ABAP frontend services are called with UNC paths↗2025-08-12
β–Ά
CVEList
Information Disclosure in SAP GUI for Windows↗2025-08-12
β–Ά
CVE-2025-42943 β€” Execution with Unnecessary Privileges | cvebase