CVE-2025-42904
📋 TL;DR
CVE-2025-42904 is an information disclosure vulnerability in SAP Application Server ABAP that allows authenticated attackers to view unmasked sensitive data in ABAP Lists. This affects SAP systems running vulnerable ABAP versions where users can generate or access ABAP reports. The vulnerability enables unauthorized data reading but doesn't allow modification or system disruption.
💻 Affected Systems
- SAP Application Server ABAP
- SAP NetWeaver Application Server ABAP
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could extract sensitive business data, PII, financial information, or credentials from ABAP reports, leading to data breaches, regulatory violations, and intellectual property theft.
Likely Case
Authenticated users with standard privileges could accidentally or intentionally view sensitive data fields that should be masked in ABAP List outputs, resulting in unauthorized data access.
If Mitigated
With proper access controls and data masking configurations, only authorized users would see sensitive data, limiting exposure to legitimate business needs.
🎯 Exploit Status
Exploitation requires authenticated access to SAP system and ability to generate/view ABAP Lists. No special tools needed beyond standard SAP GUI access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: See SAP Note 3662324 for specific kernel patches
Vendor Advisory: https://me.sap.com/notes/3662324
Restart Required: Yes
Instructions:
1. Review SAP Note 3662324 for your specific SAP version. 2. Apply the recommended kernel patch via SAP Support Portal. 3. Restart the SAP system. 4. Verify the fix by testing ABAP List masking functionality.
🔧 Temporary Workarounds
Restrict ABAP List Access
allLimit user permissions to generate and view ABAP Lists containing sensitive data
Use SAP transaction PFCG to modify role authorizations
Remove S_ALV authorization objects where appropriate
Implement Data Masking
allApply additional data masking in ABAP reports using CL_ABAP_LIST_UTILITIES
Modify ABAP reports to use CL_ABAP_LIST_UTILITIES=>MASK_VALUE()
Implement custom masking logic in report outputs
🧯 If You Can't Patch
- Review and restrict user authorizations for ABAP List generation and viewing
- Audit all ABAP reports for sensitive data exposure and implement application-level masking
🔍 How to Verify
Check if Vulnerable:
Check if your SAP kernel version is listed as vulnerable in SAP Note 3662324. Test by creating an ABAP report with sensitive data and verifying if it appears unmasked in list output.Check Version:
In SAP GUI: System → Status → Component version, or use transaction SM51Verify Fix Applied:
After patching, verify the same ABAP reports now properly mask sensitive data in list outputs. Check kernel patch level via SM51 transaction.📡 Detection & Monitoring
Log Indicators:
- Unusual ABAP List generation patterns
- Multiple failed authorization checks for S_ALV objects
- Access to sensitive data tables via report transactions
Network Indicators:
- Increased SAP GUI traffic to report generation transactions
- Unusual data extraction patterns from SAP systems
SIEM Query:
source="sap_audit_log" AND (event_id="AU1" OR event_id="AU2") AND (object="S_ALV" OR transaction="SE38" OR transaction="SE80")