CVE-2025-42903
📋 TL;DR
This vulnerability in SAP Financial Service Claims Management allows attackers to enumerate valid user accounts and potentially disclose personal data by exploiting response discrepancies in the ICL_USER_GET_NAME_AND_ADDRESS RFC function. It affects organizations using vulnerable versions of SAP Financial Service Claims Management. The impact is limited to confidentiality with no effect on system integrity or availability.
💻 Affected Systems
- SAP Financial Service Claims Management
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could enumerate all valid user accounts and extract associated personal data (names, addresses) from the system, leading to privacy violations and potential identity theft.
Likely Case
Limited user enumeration allowing attackers to identify valid accounts for further attacks, with potential exposure of some personal data fields.
If Mitigated
Minimal impact if proper network segmentation and access controls prevent unauthorized access to the RFC interface.
🎯 Exploit Status
Exploitation requires understanding of SAP RFC protocols and ability to craft specific requests; no authentication bypass is involved.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply SAP Security Note 3656781
Vendor Advisory: https://me.sap.com/notes/3656781
Restart Required: No
Instructions:
1. Download SAP Note 3656781 from SAP Support Portal. 2. Apply the correction instructions provided in the note. 3. Test the fix in development environment before production deployment.
🔧 Temporary Workarounds
Restrict RFC Access
allLimit access to the ICL_USER_GET_NAME_AND_ADDRESS RFC function to only authorized users and systems
Use SAP transaction code SM59 to configure RFC destinations with appropriate authorization checks
Network Segmentation
allIsolate SAP systems from untrusted networks to prevent unauthorized access to RFC interfaces
Configure firewall rules to restrict access to SAP RFC ports (typically 33xx range) to trusted IPs only
🧯 If You Can't Patch
- Implement strict network access controls to limit who can reach the SAP RFC interface
- Monitor and log all access attempts to the ICL_USER_GET_NAME_AND_ADDRESS function for suspicious patterns
🔍 How to Verify
Check if Vulnerable:
Check if SAP Note 3656781 is applied in your system using transaction code SNOTECheck Version:
Use SAP transaction code SM51 to check system details and applied notesVerify Fix Applied:
After applying the note, test the ICL_USER_GET_NAME_AND_ADDRESS function to ensure it no longer leaks information through response discrepancies📡 Detection & Monitoring
Log Indicators:
- Unusual frequency of calls to ICL_USER_GET_NAME_AND_ADDRESS RFC function
- Multiple failed user enumeration attempts from single source
Network Indicators:
- High volume of RFC requests to port 33xx from unauthorized sources
- Patterned requests to the vulnerable function
SIEM Query:
source="sap_rfc_logs" AND function="ICL_USER_GET_NAME_AND_ADDRESS" AND count by src_ip > threshold