CVE-2025-26659
📋 TL;DR
SAP NetWeaver Application Server ABAP has a DOM-based Cross-Site Scripting vulnerability where unauthenticated attackers can inject malicious JavaScript via crafted web messages. This allows attackers to steal user data or manipulate browser content when victims interact with the WEBGUI functionality. All organizations using vulnerable SAP NetWeaver ABAP systems are affected.
💻 Affected Systems
- SAP NetWeaver Application Server ABAP
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal sensitive session data, credentials, or manipulate transactions to perform unauthorized actions using victim's authenticated session.
Likely Case
Attackers steal session cookies or user data through phishing-style attacks targeting SAP users.
If Mitigated
Limited to data theft from individual users who click malicious links, with no system compromise.
🎯 Exploit Status
Attack requires user interaction (clicking malicious link) but no authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply SAP Security Note 3552824
Vendor Advisory: https://me.sap.com/notes/3552824
Restart Required: Yes
Instructions:
1. Download SAP Note 3552824 from SAP Support Portal. 2. Apply the correction instructions. 3. Restart affected SAP systems. 4. Verify patch application.
🔧 Temporary Workarounds
Input Validation Enhancement
allImplement additional input validation and output encoding for user-controlled inputs in WEBGUI.
Content Security Policy
allImplement strict Content Security Policy headers to restrict script execution.
🧯 If You Can't Patch
- Restrict network access to SAP WEBGUI interfaces using firewalls or network segmentation.
- Implement web application firewall (WAF) rules to detect and block XSS payloads.
🔍 How to Verify
Check if Vulnerable:
Check if SAP Note 3552824 is applied in transaction SNOTE or check system version against SAP Security Patch Day advisories.Check Version:
In SAP GUI: System → Status to check kernel and patch levels.Verify Fix Applied:
Verify SAP Note 3552824 is marked as implemented in transaction SNOTE and test WEBGUI functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual web requests with script tags or JavaScript payloads to WEBGUI endpoints
- Multiple failed login attempts followed by suspicious web activity
Network Indicators:
- HTTP requests containing malicious script payloads to SAP WEBGUI URLs
- Outbound connections to suspicious domains from SAP user sessions
SIEM Query:
source="sap_webgui" AND (http_uri="*<script*" OR http_uri="*javascript:*" OR http_user_agent="*malicious*" OR http_referer="*suspicious*" )