CVE-2025-42908 MEDIUM

CVE-2025-42908: Cross-Site Request Forgery (CSRF) vulnerability in SAP NetWeaver Application Server for ABAP

Vendor Sap_Se
Product SAP NetWeaver Application Server for ABAP
Weakness CWE-352 · CSRF
Published October 14, 2025
Last update October 14, 2025

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Due to a Cross-Site Request Forgery (CSRF) vulnerability in SAP NetWeaver Application Server for ABAP, an authenticated attacker could initiate transactions directly via the session manager, bypassing the first transaction screen and the associated authorization check. This vulnerability could allow the attacker to perform actions and execute transactions that would normally require specific permissions, compromising the integrity and confidentiality of the system by enabling unauthorized access to restricted functionality. There is no impact to availability from this vulnerability.

Key dates

02Disclosure timeline

October 14, 2025 CVE published
October 14, 2025 Record updated

Related vulnerabilities

04Related CVE