CVE-2025-42902
📋 TL;DR
This memory corruption vulnerability in SAP NetWeaver AS ABAP and ABAP Platform allows unauthenticated attackers to crash work processes by sending corrupted SAP Logon or Assertion Tickets. It affects availability but not confidentiality or integrity. Organizations running vulnerable SAP systems are impacted.
💻 Affected Systems
- SAP NetWeaver AS ABAP
- SAP ABAP Platform
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Multiple work processes could be crashed simultaneously, causing service disruption and potential denial of service for legitimate users.
Likely Case
Intermittent work process crashes requiring manual restart, causing temporary service degradation.
If Mitigated
Minimal impact with proper network segmentation and monitoring to detect and block malicious traffic.
🎯 Exploit Status
Attack requires sending specially crafted tickets but doesn't require authentication. The NULL pointer dereference is triggered when processing malformed tickets.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply SAP Security Note 3627308
Vendor Advisory: https://me.sap.com/notes/3627308
Restart Required: Yes
Instructions:
1. Download SAP Note 3627308 from SAP Support Portal. 2. Apply the correction instructions provided in the note. 3. Restart affected SAP work processes or the entire SAP system as recommended.
🔧 Temporary Workarounds
Disable SAP Logon Ticket Processing
allTemporarily disable processing of SAP Logon Tickets and SAP Assertion Tickets if not required for business operations
Network Filtering
allImplement network filtering to block or rate-limit SAP ticket traffic from untrusted sources
🧯 If You Can't Patch
- Implement strict network segmentation to isolate SAP systems from untrusted networks
- Deploy WAF or IPS with rules to detect and block malformed SAP ticket traffic
🔍 How to Verify
Check if Vulnerable:
Check if SAP Security Note 3627308 is applied using transaction SNOTE or by checking system patch statusCheck Version:
Use SAP transaction SM51 to check work process status and system informationVerify Fix Applied:
Verify note 3627308 is implemented and test with legitimate SAP ticket processing to ensure functionality remains📡 Detection & Monitoring
Log Indicators:
- Work process crashes in dev_w* trace files
- Abnormal termination messages in system logs
- Increased frequency of work process restarts
Network Indicators:
- Unusual volume of SAP ticket traffic
- Traffic patterns indicating ticket manipulation attempts
SIEM Query:
source="sap_logs" AND ("work process terminated" OR "dev_w*" AND crash) AND NOT user_authenticated