CVE-2025-42952
📋 TL;DR
This vulnerability in SAP Business Warehouse and SAP Plug-In Basis allows authenticated attackers to add fields to arbitrary database tables/structures, potentially causing system-wide availability issues. Attackers can trigger short dumps during login that render the system unusable. Only authenticated users can exploit this vulnerability, affecting availability but not confidentiality or integrity.
💻 Affected Systems
- SAP Business Warehouse
- SAP Plug-In Basis
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system unavailability requiring database restoration and extended downtime
Likely Case
Targeted disruption of critical business processes through login failures
If Mitigated
Limited impact with proper authentication controls and monitoring
🎯 Exploit Status
Exploitation requires authenticated access to SAP system with appropriate authorizations
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply SAP Security Note 3623255
Vendor Advisory: https://me.sap.com/notes/3623255
Restart Required: Yes
Instructions:
1. Download SAP Note 3623255 from SAP Support Portal
2. Apply the correction instructions in the note
3. Restart affected SAP systems
4. Verify the fix using transaction ST22 for short dump analysis
🔧 Temporary Workarounds
Restrict Authorization Objects
allLimit access to transaction SE11 (ABAP Dictionary) and related authorization objects
Use transaction SU24 to adjust authorization checks
Review and restrict S_TABU_NAM authorization object
Enhanced Monitoring
allMonitor for unusual database structure modifications and failed login attempts
Set up alerts for transaction SE11 usage
Monitor ST22 for short dumps related to login failures
🧯 If You Can't Patch
- Implement strict access controls to limit who can modify database structures
- Enable comprehensive logging and monitoring for database modification activities
🔍 How to Verify
Check if Vulnerable:
Check if SAP Note 3623255 is applied using transaction SNOTECheck Version:
Use transaction SM51 to check system information and applied notesVerify Fix Applied:
Verify note application in SNOTE and test login functionality📡 Detection & Monitoring
Log Indicators:
- Unusual SE11 transaction usage
- Multiple failed login attempts with short dumps
- Database structure modification logs
Network Indicators:
- Increased login attempts to SAP GUI or web interfaces
SIEM Query:
source="sap_audit_log" AND (event="SE11" OR event="ST22") AND user NOT IN [authorized_users]