CVE-2025-42942 Overview
CVE-2025-42942 is a reflected cross-site scripting (XSS) vulnerability [CWE-79] in SAP NetWeaver Application Server for ABAP. An unauthenticated attacker can craft a URL containing malicious script content and trick an unauthenticated victim into clicking it. When the victim's browser processes the response, the injected script executes within the application's origin.
Successful exploitation lets the attacker read and modify a limited scope of information accessible through the victim's browser session. The flaw does not affect application availability. SAP addressed the issue through SAP Security Patch Day.
Critical Impact
Unauthenticated attackers can execute arbitrary script in a victim's browser session through a crafted URL, enabling limited disclosure and modification of user-scoped data in SAP NetWeaver ABAP.
Affected Products
- SAP NetWeaver Application Server for ABAP
- Web-facing ABAP components exposing the vulnerable endpoint
- SAP customers who have not applied SAP Note #3597355
Discovery Timeline
- 2025-08-12 - CVE-2025-42942 published to the National Vulnerability Database (NVD)
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-42942
Vulnerability Analysis
The vulnerability is a reflected cross-site scripting flaw in an SAP NetWeaver ABAP web-facing component. User-supplied input carried in a URL parameter is reflected in the HTTP response without adequate output encoding or input sanitization. When a browser renders the response, embedded script content executes in the context of the SAP application origin.
The attack requires no authentication and no prior privileges. It does require user interaction, since a victim must click the attacker-supplied link. Because the scope changes when script executes across the trusted origin boundary, an attacker can affect resources beyond the immediately vulnerable component.
Impact is bounded to confidentiality and integrity within the victim's browser context. Session tokens, form data, and rendered content become reachable. Availability of the SAP application is not impacted. EPSS data lists a low near-term exploitation probability, but SAP business systems remain attractive targets for phishing-driven access.
Root Cause
The root cause is improper neutralization of input during web page generation [CWE-79]. Input received on a request parameter is embedded into the HTTP response body without contextual encoding for the HTML or JavaScript sink, allowing attacker-controlled markup to reach the DOM.
Attack Vector
An attacker crafts a URL to the SAP NetWeaver endpoint with a payload embedded in a vulnerable parameter. The attacker delivers the URL through phishing email, chat, or a malicious web page. When an unauthenticated or authenticated victim opens the link in a browser, the reflected script runs within the SAP application origin and can read DOM content, issue requests, or manipulate page state within the victim's browser scope.
The vulnerability manifests when the reflected parameter is written to the response without HTML entity encoding. Refer to SAP Note #3597355 for the technical description of the affected component and fixed code paths.
Detection Methods for CVE-2025-42942
Indicators of Compromise
- HTTP request logs to SAP NetWeaver endpoints containing script tags, javascript: URIs, event handler attributes such as onerror= or onload=, or encoded variants in query parameters
- Outbound referrer traffic from SAP hostnames to attacker-controlled domains that could indicate script-triggered data exfiltration
- Unusual spikes in inbound requests to the same SAP URL from many distinct users, consistent with a phishing campaign
- Browser console errors or Content Security Policy violation reports originating from SAP application pages
Detection Strategies
- Inspect SAP Web Dispatcher and ICM access logs for reflected parameter values containing HTML metacharacters (<, >, ", ') or percent-encoded equivalents
- Deploy web application firewall (WAF) signatures for reflected XSS patterns targeting SAP NetWeaver ABAP request paths
- Correlate email gateway URL telemetry with SAP hostnames to surface phishing lures referencing the vulnerable endpoint
- Use endpoint telemetry from the Singularity Platform to correlate browser-initiated activity following clicks on suspicious SAP URLs with subsequent process or network behavior
Monitoring Recommendations
- Forward SAP NetWeaver HTTP logs and proxy logs into Singularity Data Lake with OCSF normalization for real-time query and hunting
- Alert on parameter values exceeding expected length or containing script keywords across SAP-facing hosts
- Monitor authentication events for session anomalies immediately following user clicks on external links to SAP hostnames
- Track patch state of SAP NetWeaver components against SAP Note #3597355 to identify unremediated systems
How to Mitigate CVE-2025-42942
Immediate Actions Required
- Apply the SAP-provided patch documented in SAP Note #3597355 to all affected SAP NetWeaver Application Server for ABAP instances
- Review the current SAP Security Patch Day bulletin and prioritize remediation across production, staging, and DR environments
- Restrict external exposure of SAP NetWeaver web endpoints where business use cases do not require internet reachability
- Warn users against clicking unsolicited links pointing to SAP hostnames, particularly links with long or unusual query strings
Patch Information
SAP released the fix through SAP Security Patch Day. Customers should download and apply the correction documented in SAP Note #3597355 following standard SAP change management procedures. Verify patch application by comparing component and support package levels against the fixed versions listed in the note.
Workarounds
- Enforce a strict Content Security Policy (CSP) that disallows inline script execution on SAP NetWeaver responses until patching is complete
- Configure the SAP Web Dispatcher or an upstream WAF to block requests containing script tags, event handler attributes, and known XSS payload signatures
- Disable or restrict access to the vulnerable web component via authorization objects and URL filters where operationally feasible
- Enable HttpOnly and Secure attributes on SAP session cookies to reduce impact of script execution within the victim's browser
# Example SAP Web Dispatcher rule to drop requests with common XSS patterns
# icm/HTTP/mod_0 = PREFIX=/, FILE=$(DIR_INSTANCE)/icm_filter_rules.txt
# icm_filter_rules.txt
if %{QUERY_STRING} regimatch (<script|javascript:|onerror=|onload=)
RegIRewriteResponse ^ - [forbidden]
end
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

