CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2025-0066

CVSS 9.9v3.1pub. 2025-01-14upd. 2025-10-23

Under certain conditions SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework) allows an attacker to access restricted information due to weak access controls. This can have a significant impact on the confidentiality, integrity, and availability of an application

🤖 AI Analysis
How it works

Under specific environmental conditions, the Internet Communication Framework (ICF) component in SAP NetWeaver AS for ABAP does not properly enforce access restrictions (CWE-732 – improper permissions configured for resources). An attacker with basic network access and minimal privileges can exploit this vulnerability to gain access to information and resources they should not have access to. The vulnerability does not require user interaction, and its scope extends beyond the original application context (Scope Changed).

Impact

An attacker can gain unauthorized access to protected data and functions of the SAP system, which may result in disclosure of sensitive business information, data modification, and disruption of application availability.

Mitigation & patch

Apply patches available from the vendor according to references – SAP note no. 3550708 published as part of SAP Security Patch Day (https://url.sap/sapsecuritypatchday). Immediate implementation of the fix is recommended due to critical CVSS level 9.9.

Who is affected

SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework) – SAP Basis; specific versions indicated in vendor references (SAP note 3550708)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Sap Basis

    APP
    Sap
    700701702731740750751752753754755756757758912+ 2 więcej
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
CWE
References

Related vulnerabilities

CVE-2026-23687HIGH8.8ten sam produkt

SAP NetWeaver Application Server ABAP and ABAP Platform allows an authenticated attacker with normal privilege...

CVE-2025-0063HIGH8.8ten sam produkt

SAP NetWeaver AS ABAP and ABAP Platform does not check for authorization when a user executes some RFC functio...

CVE-2016-4551HIGH7.5ten sam produkt

The (1) SAP_BASIS and (2) SAP_ABA components 7.00 SP Level 0031 in SAP NetWeaver 2004s might allow remote atta...

CVE-2026-0484MEDIUM6.5ten sam produkt

Due to missing authorization check in SAP NetWeaver Application Server ABAP and SAP S/4HANA, an authenticated ...

CVE-2026-24312MEDIUM5.2ten sam produkt

An erroneous authorization check in SAP Business Workflow leads to privilege escalation. An authenticated admi...