CVE-2025-42904

Description

Due to an Information Disclosure vulnerability in Application Server ABAP, an authenticated attacker could read unmasked values displayed in ABAP Lists. Successful exploitation could lead to unauthorized disclosure of data, resulting in a high impact on confidentiality without affecting integrity or availability.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

SAP Application Server ABAP (specific versions refer to SAP Note 3662324)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-42904 PoC - SAP ABAP Information Disclosure
// Note: This is a conceptual PoC based on vulnerability description
// Actual exploitation requires valid SAP credentials

/*
1. Authentication Phase
   - Obtain valid SAP user credentials (low privilege sufficient)
   - Login to SAP system via SAP GUI or RFC

2. Trigger Vulnerability
   - Execute specific ABAP transaction codes
   - Access reports that display masked/unmasked sensitive data
   - Example: Access transaction codes that expose sensitive fields

3. Data Extraction
   - Identify unmasked fields in ABAP Lists
   - Extract sensitive information displayed in plain text
   - Document exposed data for further exploitation

RFC Example:
DATA: lv_username TYPE sy-uname,
      lt_userlist TYPE TABLE OF usr01.

CALL FUNCTION 'SUSR_USER_LIST'
  EXPORTING
    user_name = lv_username
  TABLES
    user_list = lt_userlist.

* Sensitive fields may be exposed in the returned table
*/

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-42904
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-42904
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-42904/
[4] VulDB https://vuldb.com/cve/CVE-2025-42904
[5] https://me.sap.com/notes/3662324
[6] https://url.sap/sapsecuritypatchday

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-42904", "sourceIdentifier": "[email protected]", "published": "2025-12-09T16:17:52.993", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Due to an Information Disclosure vulnerability in Application Server ABAP, an authenticated attacker could read unmasked values displayed in ABAP Lists. Successful exploitation could lead to unauthorized disclosure of data, resulting in a high impact on confidentiality without affecting integrity or availability."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-549"}]}], "references": [{"url": "https://me.sap.com/notes/3662324", "source": "[email protected]"}, {"url": "https://url.sap/sapsecuritypatchday", "source": "[email protected]"}]}}