CVE-2025-42911
📋 TL;DR
CVE-2025-42911 is an information disclosure vulnerability in SAP NetWeaver's Service Data Download component. Authenticated users can call a remote-enabled function module to access sensitive system information about the SAP environment and underlying operating system. This affects organizations running vulnerable SAP NetWeaver installations.
💻 Affected Systems
- SAP NetWeaver
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could gather detailed system information including SAP configuration details, operating system details, and potentially other sensitive data that could facilitate further attacks.
Likely Case
Authenticated users (including legitimate users with malicious intent) accessing system information they shouldn't have access to, potentially enabling reconnaissance for more serious attacks.
If Mitigated
With proper access controls and monitoring, impact is limited to minimal information leakage that doesn't directly compromise system integrity.
🎯 Exploit Status
Exploitation requires authenticated access to the SAP system and knowledge of the vulnerable function module
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply SAP Security Note 3627644
Vendor Advisory: https://me.sap.com/notes/3627644
Restart Required: No
Instructions:
1. Download SAP Note 3627644 from SAP Support Portal. 2. Apply the correction instructions provided in the note. 3. Verify the fix by testing the vulnerable function module.
🔧 Temporary Workarounds
Restrict Function Module Access
SAPUse SAP authorization objects to restrict access to the vulnerable remote-enabled function module
Use transaction SE93 to check function module authorization
Use transaction SU24 to maintain authorization objects
🧯 If You Can't Patch
- Implement strict access controls to limit which users can execute remote-enabled function modules
- Monitor and audit usage of function modules in the Service Data Download component
🔍 How to Verify
Check if Vulnerable:
Check if SAP Note 3627644 is applied in your system using transaction SNOTECheck Version:
Use transaction SM51 to check SAP system version and applied notesVerify Fix Applied:
After applying the note, attempt to execute the vulnerable function module to confirm access is properly restricted📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to function modules in Service Data Download
- Multiple failed authorization checks for specific function modules
Network Indicators:
- Unusual RFC calls to the vulnerable function module
SIEM Query:
source="SAP" AND (event_type="authorization_failure" OR event_type="function_module_call") AND module_name="*Service Data Download*"