CVE-2025-42916
📋 TL;DR
This CVE describes a vulnerability in SAP ABAP reports where attackers with high privilege access can delete arbitrary database table contents if tables lack authorization group protection. This affects SAP systems using vulnerable ABAP reports and impacts database integrity and availability, but not confidentiality.
💻 Affected Systems
- SAP systems with ABAP reports
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete deletion of critical business data from unprotected database tables, causing permanent data loss and system downtime.
Likely Case
Targeted deletion of specific business data from vulnerable tables, disrupting operations and requiring restoration from backups.
If Mitigated
Limited impact due to proper authorization group configuration and privilege restrictions.
🎯 Exploit Status
Exploitation requires high privilege ABAP access and knowledge of vulnerable reports/tables.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: See SAP Note 3635475 for specific patch versions
Vendor Advisory: https://me.sap.com/notes/3635475
Restart Required: Yes
Instructions:
1. Review SAP Note 3635475 for affected components. 2. Apply relevant SAP security patches. 3. Restart affected SAP systems. 4. Verify patch application through transaction SPAM/SAINT.
🔧 Temporary Workarounds
Implement Authorization Group Protection
allConfigure authorization groups for all critical database tables to prevent unauthorized deletion.
Use transaction SE11 to set authorization groups for tables
Restrict ABAP Report Privileges
allReview and limit high privilege access to ABAP reports following least privilege principle.
Use transaction PFCG to review and adjust role authorizations
🧯 If You Can't Patch
- Implement strict access controls to limit high privilege ABAP access to trusted personnel only
- Configure authorization groups for all critical database tables and regularly audit unprotected tables
🔍 How to Verify
Check if Vulnerable:
Check if you have vulnerable ABAP reports by reviewing SAP Note 3635475 and examining unprotected database tables.Check Version:
Use transaction SM51 to check SAP kernel version and SPAM to check support package levelsVerify Fix Applied:
Verify patch application through transaction SPAM/SAINT and test that vulnerable reports no longer allow unauthorized table deletions.📡 Detection & Monitoring
Log Indicators:
- Unusual DELETE operations on database tables from ABAP reports
- Authorization failures for table access attempts
Network Indicators:
- Not applicable - this is an application layer vulnerability
SIEM Query:
Search for DELETE operations on database tables from non-standard ABAP reports or unusual time patterns