CVE-2025-42943
📋 TL;DR
SAP GUI for Windows may leak NTLM hashes when specific ABAP frontend services are called with UNC paths. This requires an attacker with developer authorization in an ABAP Application Server to modify code, and a victim using SAP GUI for Windows to execute it. The vulnerability primarily affects organizations using SAP systems with Windows clients.
💻 Affected Systems
- SAP GUI for Windows
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could capture NTLM hashes, potentially enabling credential relay attacks or offline cracking to gain unauthorized access to Windows domain resources.
Likely Case
Internal attackers with developer privileges could exploit this to harvest NTLM hashes from targeted users, potentially escalating privileges within the Windows domain.
If Mitigated
With proper network segmentation, SMB signing enforcement, and developer access controls, the risk is significantly reduced to isolated credential exposure.
🎯 Exploit Status
Requires developer authorization in ABAP system to modify code, plus victim interaction with SAP GUI.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: As specified in SAP Note 3627845
Vendor Advisory: https://me.sap.com/notes/3627845
Restart Required: No
Instructions:
1. Review SAP Note 3627845 for specific patch details. 2. Apply the recommended SAP GUI for Windows update. 3. Verify patch application through version checking.
🔧 Temporary Workarounds
Restrict UNC Path Access
WindowsConfigure Windows clients to restrict UNC path access from SAP GUI processes
Configure Windows Firewall to block outbound SMB (ports 139/445) from SAP GUI processes
Use Group Policy to restrict UNC path access
Enforce SMB Signing
WindowsRequire SMB packet signing to prevent NTLM relay attacks
Group Policy: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Microsoft network server: Digitally sign communications (always)
🧯 If You Can't Patch
- Implement strict developer access controls and code review processes for ABAP systems
- Monitor for suspicious UNC path requests from SAP GUI processes in network logs
🔍 How to Verify
Check if Vulnerable:
Check SAP GUI version against affected versions in SAP Note 3627845Check Version:
In SAP GUI: Help → About SAP LogonVerify Fix Applied:
Confirm SAP GUI version is updated to patched version specified in SAP Note 3627845📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing SMB authentication attempts from SAP GUI processes
- SAP system logs showing ABAP code modifications
Network Indicators:
- SMB traffic (ports 139/445) originating from SAP GUI processes to unexpected destinations
- UNC path requests in network captures
SIEM Query:
source="windows" AND event_id=4624 AND process_name="saplogon.exe" AND destination_port IN (139, 445)