CVE-2025-42945 Overview
CVE-2025-42945 is an HTML injection vulnerability in SAP NetWeaver Application Server ABAP. An attacker can craft a URL containing malicious script payloads and deliver it to a user with an active session. When the victim clicks the link, the script executes in the context of their authenticated session. Successful exploitation results in limited read access to data or unauthorized data manipulation. The flaw is categorized under [CWE-94] (Improper Control of Generation of Code).
Critical Impact
Attackers can execute injected scripts within an authenticated SAP user's browser session, leading to limited data disclosure and integrity impact across affected NetWeaver ABAP deployments.
Affected Products
- SAP NetWeaver Application Server ABAP
- SAP components dependent on the affected NetWeaver ABAP stack
- Refer to SAP Note #3585491 for the complete list of affected support package levels
Discovery Timeline
- 2025-08-12 - CVE-2025-42945 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-42945
Vulnerability Analysis
The vulnerability resides in SAP NetWeaver Application Server ABAP, the runtime that hosts ABAP-based business applications. The affected component fails to properly sanitize user-controlled input rendered into HTML responses. An attacker constructs a URL with a script payload embedded in a vulnerable parameter. When the target user, already authenticated to the SAP application, visits the URL, the payload is reflected into the response and executed by the browser.
The attack requires user interaction and operates across a security scope boundary, allowing the injected script to reach resources beyond the initially vulnerable component. Confidentiality and integrity are impacted at a limited level; availability is not affected.
Root Cause
The root cause is improper neutralization of directives in dynamically generated web content. Input supplied through request parameters is written into the HTML response without adequate encoding or context-aware escaping. This allows attacker-controlled markup and script tags to be interpreted by the victim's browser rather than rendered as literal text.
Attack Vector
The attack is delivered over the network and requires no privileges. It depends on social engineering: the attacker must convince an authenticated SAP user to click a specially crafted URL. Common delivery channels include phishing emails, chat messages, or malicious links embedded in trusted portals. Once triggered, the payload executes with the privileges of the victim's active SAP session and can perform actions permitted by that session, including reading limited data or issuing state-changing requests.
No public proof-of-concept exploit has been observed, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS probability stands at 0.189%.
Detection Methods for CVE-2025-42945
Indicators of Compromise
- Inbound HTTP GET or POST requests to SAP NetWeaver ABAP endpoints containing encoded <script>, javascript:, onerror=, or onload= tokens in query parameters
- Referrer headers on SAP application requests originating from external, untrusted domains
- Unusual outbound requests from authenticated user sessions to attacker-controlled hosts shortly after clicking external links
- Web server access logs showing repeated probing of ABAP web-enabled transactions with unusual parameter payloads
Detection Strategies
- Deploy web application firewall (WAF) rules that inspect URL parameters and request bodies for reflected XSS and HTML injection patterns targeting SAP endpoints
- Enable ABAP HTTP request logging and correlate parameter contents against known injection signatures
- Monitor SAP Security Audit Log (SM19/SM20) for anomalous transaction execution tied to web-facing sessions
- Establish behavioral baselines for authenticated SAP user activity and alert on deviations following external link clicks
Monitoring Recommendations
- Forward SAP NetWeaver Internet Communication Manager (ICM) logs and web dispatcher logs to a centralized SIEM for correlation
- Track HTTP response bodies containing user-supplied input echoed without encoding
- Alert on browser-originated requests carrying script payloads targeting /sap/bc/ or other ABAP web service paths
- Monitor for spikes in 4xx and 5xx responses on SAP endpoints, which may indicate exploitation probing
How to Mitigate CVE-2025-42945
Immediate Actions Required
- Apply the SAP-provided security patch referenced in SAP Note #3585491 as soon as possible
- Review the SAP Security Patch Day advisory for the release cycle in which this fix was published
- Identify all NetWeaver ABAP systems exposed to end users via HTTP and prioritize them for remediation
- Notify SAP end users to be cautious of unsolicited links referencing internal SAP URLs
Patch Information
SAP has released a corrective patch documented in SAP Note #3585491. Customers must authenticate to the SAP for Me portal to retrieve the note and associated support package or transport. The patch introduces proper output encoding on the vulnerable code paths, preventing script payloads from being interpreted as executable HTML in the browser.
Workarounds
- Restrict access to SAP NetWeaver ABAP web endpoints by IP allowlisting or VPN-only access where business requirements permit
- Deploy a WAF in front of SAP systems and enable rulesets that block reflected XSS and HTML injection payloads
- Enforce strict Content Security Policy (CSP) headers on SAP web responses to limit inline script execution
- Train users to avoid clicking SAP application URLs received from untrusted sources and to validate the domain before authentication
# Example: WAF-style pattern to inspect for HTML injection on SAP ABAP endpoints
# (adapt to your WAF syntax; this is illustrative)
SecRule REQUEST_URI "@rx /sap/bc/" \
"chain,deny,status:403,id:1042945,msg:'Possible HTML injection targeting SAP NetWeaver ABAP (CVE-2025-42945)'"
SecRule ARGS "@rx (?i)(<script|javascript:|onerror=|onload=|<iframe)" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

