CVE-2025-42989 — Missing Authorization in SE SAP Netweaver Application Server FOR Abap

CWE-862 — Missing Authorization3 documents3 sources

Severity

9.6CRITICALNVD

EPSS

0.2%

top 54.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

SAP SE SAP Netweaver Application Server FOR Abap

Timeline

PublishedJun 10

Description

RFC inbound processing�does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. On successful exploitation the attacker could critically impact both integrity and availability of the application.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:HExploitability: 3.1 | Impact: 5.8

Affected Packages1 packages

▶CVEListV5sap_se/sap_netweaver_application_server_for_abap4 versions+3

🔴Vulnerability Details

CVEList

Missing Authorization check in SAP NetWeaver Application Server for ABAP↗2025-06-10

▶

GHSA

GHSA-p85x-xv8x-v67q: RFC inbound processing�does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges↗2025-06-10

▶