CVE-2025-42953 Overview
CVE-2025-42953 is a missing authorization vulnerability [CWE-862] in SAP NetWeaver System Configuration. The component does not perform required authorization checks for an authenticated user. An attacker with low-level credentials can escalate privileges over the network without user interaction. Successful exploitation compromises the integrity and availability of the system, while confidentiality is not impacted.
SAP published the fix through SAP Note #3623440 as part of its monthly SAP Security Patch Day release.
Critical Impact
An authenticated attacker can bypass authorization checks in SAP NetWeaver System Configuration to gain elevated privileges, leading to full compromise of integrity and availability of the affected SAP system.
Affected Products
- SAP NetWeaver (System Configuration component)
- See SAP Note #3623440 for the authoritative list of affected releases and Support Package levels
- Refer to the SAP Security Patch Day Update for additional product coverage
Discovery Timeline
- 2025-07-08 - CVE-2025-42953 published to the National Vulnerability Database (NVD)
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-42953
Vulnerability Analysis
CVE-2025-42953 is classified as a missing authorization weakness [CWE-862] in the System Configuration functionality of SAP NetWeaver. The application authenticates the user but fails to verify whether that user holds the privileges required to perform sensitive configuration operations. As a result, any user with valid low-privilege credentials can invoke functions that should be restricted to administrators.
The vulnerability is reachable across the network, requires authentication, and does not require user interaction. SAP NetWeaver functions as the technical foundation for many SAP business applications, so abuse of System Configuration can affect downstream modules running on the same stack.
The EPSS model currently estimates a low probability of exploitation in the short term, but the network-reachable nature of the flaw and the typical exposure of SAP application servers warrant prompt patching.
Root Cause
The System Configuration component performs authentication but omits the authorization checks required before executing privileged operations. SAP role and authorization objects that should gate the affected functions are not consistently evaluated. Authenticated callers therefore reach code paths that modify system state without holding the necessary S_* authorization values.
Attack Vector
An attacker authenticates to the SAP NetWeaver application using any valid low-privileged account, including accounts created for business users, technical integrations, or partners. The attacker then issues a request to the System Configuration function that lacks the authorization check. Because the server does not validate the caller's role, the request is executed with elevated effect, allowing the attacker to alter configuration, write data, or disrupt availability.
No exploitation code, public proof-of-concept, or CISA KEV listing is associated with CVE-2025-42953 at the time of writing. Technical specifics are restricted to customers with access to SAP Note #3623440.
Detection Methods for CVE-2025-42953
Indicators of Compromise
- Unexpected changes to SAP system configuration entries made by non-administrative users
- Authentication events from low-privileged accounts followed by privileged configuration actions in the same session
- SAP Security Audit Log entries showing function module or RFC calls into System Configuration from accounts without corresponding role assignments
Detection Strategies
- Enable and review the SAP Security Audit Log (transaction SM19/RSAU_CONFIG) for configuration changes correlated with non-admin user IDs
- Forward SAP audit, gateway, and HTTP logs to a centralized analytics platform and alert on configuration writes performed without the expected S_* authorization objects
- Run periodic role reviews with SUIM to identify users who recently performed privileged actions outside their assigned roles
Monitoring Recommendations
- Monitor RFC and HTTP traffic to SAP NetWeaver application servers for anomalous calls to System Configuration endpoints
- Track creation, modification, and deletion of system parameters, RFC destinations, and trust relationships and alert on changes attributed to non-administrative principals
- Track failed and successful logons followed by configuration changes from the same session for behavioral anomaly detection
How to Mitigate CVE-2025-42953
Immediate Actions Required
- Apply the SAP-provided patch referenced in SAP Note #3623440 to all affected SAP NetWeaver systems
- Inventory SAP NetWeaver application servers and confirm Support Package and kernel levels against the SAP Note
- Restrict network access to SAP application servers so that only required clients and integration systems can reach the affected endpoints
- Audit user accounts and remove unnecessary or dormant logins that could be abused to authenticate against the vulnerable component
Patch Information
SAP released the corrective patch as part of the monthly SAP Security Patch Day. Customers should download and apply the components listed in SAP Note #3623440 and verify installation against the SAP Security Patch Day Update. Patching is the only complete remediation for this missing authorization flaw.
Workarounds
- If immediate patching is not feasible, tighten role assignments so the smallest possible population of users can authenticate to the System Configuration component
- Use SAP UCON and gateway access control lists (reginfo, secinfo) to restrict which clients can invoke RFC functions against the affected system
- Increase SAP Security Audit Log coverage for configuration transactions and review logs daily until the patch is applied
- Place SAP application servers behind network segmentation and require VPN or jump-host access for administrative interfaces
# Example: enable SAP Security Audit Log for configuration-related events
# (configure via transaction RSAU_CONFIG)
# - Audit class: System, Transaction start, RFC call
# - Events: All audit-relevant events for admin and technical users
# - Filter: User group containing non-administrative accounts
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
