Detections
Analytics

SAP NetWeaver AS ABAP Multiple Vulnerabilities (October 2025)

medium Nessus Plugin ID 270697

Language:

Synopsis

The remote SAP NetWeaver ABAP server may be affected by multiple vulnerabilities.

Description

The version of SAP NetWeaver Application Server for ABAP detected on the remote host is affected by multiple vulnerabilities as disclosed in the SAP Security Patch Day October 2025:

 - Due to the memory corruption vulnerability in SAP NetWeaver AS ABAP and ABAP Platform, an unauthenticated attacker can send a corrupted SAP Logon Ticket or SAP Assertion Ticket to the SAP application server. This leads to a dereference of NULL which makes the work process crash. As a result, it has a low impact on the availability but no impact on the confidentiality and integrity. (CVE-2025-42902)
- Applications based on SAP GUI for HTML in SAP NetWeaver Application Server ABAP store user input in the local browser storage to improve usability. An attacker with administrative privileges or access to the victim's user directory on the Operating System level would be able to read this data. Depending on the user input provided in transactions, the disclosed data could range from non-critical data to highly sensitive data, causing high impact on confidentiality of the application. (CVE-2025-0059)

 - Due to a Cross-Site Request Forgery (CSRF) vulnerability in SAP NetWeaver Application Server for ABAP, an authenticated attacker could initiate transactions directly via the session manager, bypassing the first transaction screen and the associated authorization check. This vulnerability could allow the attacker to perform actions and execute transactions that would normally require specific permissions, compromising the integrity and confidentiality of the system by enabling unauthorized access to restricted functionality.
 There is no impact to availability from this vulnerability. (CVE-2025-42908)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Apply the appropriate patch according to the vendor advisory.

See Also

http://www.nessus.org/u?9950e280

https://me.sap.com/notes/3627308

https://me.sap.com/notes/3503138

https://me.sap.com/notes/3642021

Plugin Details

Severity: Medium

ID: 270697

File Name: sap_netweaver_as_abap_oct_2025.nasl

Version: 1.2

Type: remote

Family: Web Servers

Published: 10/17/2025

Updated: 10/17/2025

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 4.6

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:N/A:N

CVSS Score Source: CVE-2025-0059

CVSS v3

Risk Factor: Medium

Base Score: 6

Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Vulnerability Information

CPE: cpe:/a:sap:netweaver_application_server

Required KB Items: installed_sw/SAP Netweaver Application Server (AS), Settings/ParanoidReport

Patch Publication Date: 1/13/2025

Vulnerability Publication Date: 1/13/2025

Reference Information

CVE: CVE-2025-0059, CVE-2025-42902, CVE-2025-42908

IAVB: 2025-A-0739