CVE-2025-42943 MEDIUM

CVE-2025-42943: Information Disclosure in SAP GUI for Windows

Vendor Sap_Se
Product SAP GUI for Windows
Weakness CWE-250
Published August 12, 2025
Last update August 12, 2025

CVSS base score

4.5/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

SAP GUI for Windows may allow the leak of NTML hashes when specific ABAP frontend services are called with UNC paths. For a successful attack, the attacker needs developer authorization in a specific Application Server ABAP to make changes in the code, and the victim needs to execute by using SAP GUI for Windows. This could trigger automatic NTLM authentication, potentially exposing hashed credentials to an attacker. As a result, it has a high impact on the confidentiality.

Key dates

02Disclosure timeline

August 12, 2025 CVE published
August 12, 2025 Record updated