CVE-2025-42929
📋 TL;DR
This CVE allows attackers with high privilege ABAP access to delete arbitrary database table contents when tables lack authorization group protection. This affects SAP systems with vulnerable ABAP reports, primarily impacting database integrity and availability.
💻 Affected Systems
- SAP NetWeaver Application Server ABAP
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete deletion of critical business data across unprotected database tables, causing permanent data loss and system unavailability.
Likely Case
Targeted deletion of specific business-critical tables by malicious insiders or compromised accounts, disrupting operations.
If Mitigated
Limited impact if proper authorization groups are configured and least privilege principles are enforced.
🎯 Exploit Status
Exploitation requires high privilege ABAP access; no public exploit details available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply SAP Security Note 3633002
Vendor Advisory: https://me.sap.com/notes/3633002
Restart Required: Yes
Instructions:
1. Download SAP Note 3633002 from SAP Support Portal. 2. Apply the note using SAP Note Assistant or transaction SNOTE. 3. Restart the SAP system as required.
🔧 Temporary Workarounds
Configure Authorization Groups
allAssign authorization groups to all database tables to restrict access.
Use transaction SE11 to edit table properties and set authorization group
Restrict ABAP Report Privileges
allImplement strict role-based access control for ABAP reports.
Review and adjust authorizations in transaction PFCG
🧯 If You Can't Patch
- Implement strict least privilege access controls for ABAP users
- Enable comprehensive logging and monitoring of database table modifications
🔍 How to Verify
Check if Vulnerable:
Check if SAP Note 3633002 is applied using transaction SNOTE or check system version against SAP advisory.Check Version:
Execute transaction SM51 to check SAP system version and applied notes.Verify Fix Applied:
Verify SAP Note 3633002 is successfully applied and test ABAP report functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual DELETE operations on database tables via ABAP reports
- Multiple table deletions in short timeframes
Network Indicators:
- Not applicable - this is a local database manipulation vulnerability
SIEM Query:
Search for transaction codes like SE38/SE80 followed by database DELETE operations in SAP audit logs