CVE-2025-42968
📋 TL;DR
This vulnerability in SAP NetWeaver allows authenticated non-administrative users to call a remote-enabled function module that reveals non-sensitive system and OS information. It affects SAP NetWeaver systems with the vulnerable function module enabled. The impact is limited to low-severity information disclosure.
💻 Affected Systems
- SAP NetWeaver
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could gather reconnaissance data about the SAP system and underlying OS, potentially aiding further attacks.
Likely Case
Internal users with standard access could view system information they shouldn't have access to, but no sensitive data is exposed.
If Mitigated
With proper access controls and monitoring, the impact is minimal as only non-sensitive information is accessible.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of the vulnerable function module.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply SAP Security Note 3621037
Vendor Advisory: https://me.sap.com/notes/3621037
Restart Required: Yes
Instructions:
1. Download SAP Note 3621037 from SAP Support Portal
2. Apply the note using SAP Note Assistant or transaction SNOTE
3. Restart affected SAP systems as required
🔧 Temporary Workarounds
Restrict Function Module Access
allRemove authorization for non-administrative users to execute the vulnerable function module
Use transaction SE93 or SU24 to adjust authorization objects for the function module
🧯 If You Can't Patch
- Implement strict access controls to limit which users can execute remote function modules
- Monitor logs for unauthorized access attempts to function modules
🔍 How to Verify
Check if Vulnerable:
Check if SAP Note 3621037 is applied using transaction SNOTE or check system version against SAP Security Patch Day advisoriesCheck Version:
Use SAP transaction SM51 or SM50 to check system detailsVerify Fix Applied:
Verify SAP Note 3621037 is successfully implemented and test that non-admin users cannot access the vulnerable function module📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to remote function modules in SAP security audit logs
- Multiple calls to specific function modules from non-admin users
Network Indicators:
- Increased RFC traffic to vulnerable function modules
SIEM Query:
source="sap_audit_log" AND (event_type="function_module_call" AND user_role!="administrator")