RCE via SQL Console in SAP ABAP Platform
CVE-2025-42949 Published on August 12, 2025
Missing Authorization check in ABAP Platform
Due to a missing authorization check in the ABAP Platform, an authenticated user with elevated privileges could bypass authorization restrictions for common transactions by leveraging the SQL Console. This could enable an attacker to access and read the contents of database tables without proper authorization, leading to a significant compromise of data confidentiality. However, the integrity and availability of the system remain unaffected.
Vulnerability Analysis
CVE-2025-42949 can be exploited with network access, and requires user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2025-42949 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2025-42949
Want to know whenever a new CVE is published for SAP Abap Platform? stack.watch will email you.
Affected Versions
SAP_SE ABAP Platform:- Version SAP_BASIS 758 is affected.
- Version SAP_BASIS 816 is affected.
- Version SAP_BASIS 916 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.