CVE-2025-42891
📋 TL;DR
CVE-2025-42891 is a missing authorization vulnerability in SAP Enterprise Search for ABAP that allows authenticated attackers with high privileges to read and export database table contents into ABAP reports. This primarily affects organizations using SAP Enterprise Search for ABAP with insufficient authorization controls. The vulnerability has high impact on data confidentiality but no impact on availability.
💻 Affected Systems
- SAP Enterprise Search for ABAP
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Sensitive business data, customer information, or intellectual property could be extracted from database tables and exported, leading to significant data breaches and regulatory violations.
Likely Case
Privileged users could access and export data beyond their intended authorization scope, potentially exposing sensitive operational or financial information.
If Mitigated
With proper authorization controls and least privilege principles, impact is limited to authorized data access only.
🎯 Exploit Status
Exploitation requires existing high-privilege access; no public exploit details available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to SAP Note 3659117 for specific patch versions
Vendor Advisory: https://me.sap.com/notes/3659117
Restart Required: Yes
Instructions:
1. Review SAP Note 3659117 for specific patch details. 2. Apply the SAP Security Patch Day updates. 3. Restart affected SAP systems. 4. Verify authorization checks are properly implemented.
🔧 Temporary Workarounds
Authorization Restriction
allImplement strict authorization controls to limit access to SAP Enterprise Search functionality
Use SAP transaction SU24 to maintain authorization objects
Review and restrict S_RS_ADMWB authorizations
Privilege Reduction
allApply principle of least privilege to user accounts with access to SAP Enterprise Search
Use transaction PFCG to review and modify role authorizations
Remove unnecessary S_RS_ADMWB authorizations from user roles
🧯 If You Can't Patch
- Implement strict access controls and review all users with S_RS_ADMWB authorizations
- Enable detailed logging for SAP Enterprise Search activities and monitor for unauthorized data exports
🔍 How to Verify
Check if Vulnerable:
Check if SAP Note 3659117 is applied using transaction SNOTE or review system version against SAP Security Patch Day updatesCheck Version:
Use SAP transaction SM51 to check system information or review SAP Note implementation statusVerify Fix Applied:
Verify SAP Note 3659117 implementation status and test authorization controls for SAP Enterprise Search functionality📡 Detection & Monitoring
Log Indicators:
- Unusual database table access patterns via SAP Enterprise Search
- Multiple data export activities from SAP Enterprise Search reports
- Authorization failures for S_RS_ADMWB objects
Network Indicators:
- Large data transfers from SAP systems following search operations
SIEM Query:
source="sap_audit_log" AND (event="RS_ADMWB" OR auth_object="S_RS_ADMWB") AND result="SUCCESS" | stats count by user, table_name