CVE-2025-0063: SAP NetWeaver Authorization Bypass Flaw

CVE-2025-0063 Overview

CVE-2025-0063 affects SAP NetWeaver Application Server ABAP and ABAP Platform. The vulnerability stems from missing authorization checks when users invoke certain Remote Function Call (RFC) function modules. Authenticated attackers with basic user privileges can manipulate data in the underlying Informix database. Successful exploitation leads to full compromise of confidentiality, integrity, and availability of the affected SAP system. The flaw is classified under [CWE-89] (SQL Injection) and impacts SAP Basis releases from 700 through 758. SAP addressed the issue on its January 2025 Security Patch Day via SAP Note 3550816.

Critical Impact

A low-privileged authenticated user can execute unauthorized RFC calls that pass attacker-controlled input to the Informix database, resulting in complete loss of data confidentiality, integrity, and availability.

Affected Products

• SAP NetWeaver AS ABAP and ABAP Platform — SAP Basis 700, 701, 702, 731, 740
• SAP Basis 750, 751, 752, 753, 754, 755
• SAP Basis 756, 757, 758

Discovery Timeline

• 2025-01-14 - CVE-2025-0063 published to NVD
• 2025-01-14 - SAP releases security patch via SAP Note 3550816 on Security Patch Day
• 2025-10-24 - Last updated in NVD database

Technical Details for CVE-2025-0063

Vulnerability Analysis

The vulnerability resides in RFC function modules exposed by SAP NetWeaver AS ABAP that interact with an Informix database backend. SAP did not enforce proper authorization checks before executing these modules. Any authenticated user with basic SAP privileges can invoke the affected RFC endpoints over the network. Because the modules forward user-supplied parameters into database operations without sufficient validation, an attacker can influence SQL statements processed by the Informix engine, mapping to [CWE-89] (SQL Injection). The result is unauthorized read, modification, and deletion of database content, including data the attacker should not be able to access through normal SAP role assignments.

Root Cause

The root cause is twofold. First, the affected RFC function modules lack AUTHORITY-CHECK statements that would restrict callers to authorized roles. Second, input handed off to Informix database operations is not adequately sanitized or parameterized, permitting injection of attacker-controlled SQL fragments. Together, these defects allow a basic user to bypass SAP's role-based access model and operate directly against the database.

Attack Vector

The attack is conducted over the network against the SAP Gateway or any interface that accepts RFC calls. The attacker authenticates with valid but low-privileged credentials, then invokes the vulnerable RFC modules with crafted parameters. No user interaction is required. Because the RFC layer is commonly reachable from internal application servers, third-party connectors, and service users, the exploitable surface is broad in typical SAP landscapes. See SAP Note 3550816 for technical details restricted to authorized SAP customers.

Detection Methods for CVE-2025-0063

Indicators of Compromise

• Unexpected RFC calls to database-related function modules originating from user accounts that do not normally invoke RFC interfaces.
• Anomalous Informix database queries containing concatenated SQL syntax, UNION SELECT, or comment markers initiated by SAP work processes.
• Spikes in SM21 system log entries or ST22 short dumps tied to RFC execution and database errors.
• Modifications to sensitive tables performed outside of standard transactions or change documents.

Detection Strategies

• Enable and review SAP Security Audit Log (SM19/SM20) events for RFC function module execution, especially calls made by dialog users with minimal roles.
• Correlate RFC_CALL audit records with database-layer logs to identify modules that touch Informix tables outside expected business processes.
• Use SAP UCON (Unified Connectivity) to baseline allowed RFC function modules and alert on calls outside the allowlist.

Monitoring Recommendations

• Forward SAP audit, gateway, and database logs to a central SIEM for correlation against authentication and authorization events.
• Monitor for newly created or reactivated service accounts invoking RFC modules tied to database access.
• Track patch deployment status across all SAP Basis instances and flag systems still running unpatched versions in the 700–758 range.

How to Mitigate CVE-2025-0063

Immediate Actions Required

• Apply the SAP-provided fix referenced in SAP Note 3550816 on all SAP NetWeaver AS ABAP and ABAP Platform systems running affected SAP Basis releases.
• Audit user assignments and remove unnecessary RFC execution authorizations (S_RFC) from dialog and service users.
• Restrict network exposure of the SAP Gateway and message server to trusted hosts using gw/sec_info and gw/reg_info access control lists.

Patch Information

SAP published the corrective note on Security Patch Day, January 14, 2025. Customers should download the kernel and support package updates referenced in SAP Note 3550816 and the SAP Security Patch Day portal. Apply patches across development, quality assurance, and production systems following standard SAP transport procedures.

Workarounds

• Enable SAP UCON in active mode to block RFC function modules that are not explicitly required for business processes.
• Tighten S_RFC authorization objects so that basic users cannot call function groups associated with database administration or generic table access.
• Place SAP Gateway behind network segmentation and require strong authentication for any RFC connection originating from outside the trusted SAP zone.

# Example: restrict RFC access via SAP Gateway secinfo entries
# Format: P TP=<program> HOST=<host> ACCESS=<host> CANCEL=<host>
P TP=* HOST=internal-app-server ACCESS=internal-app-server CANCEL=internal-app-server
D TP=* HOST=* ACCESS=* CANCEL=*