CVE-2025-42983: SAP Business Warehouse Privilege Escalation

CVE-2025-42983 Overview

CVE-2025-42983 affects SAP Business Warehouse and SAP Plug-In Basis. An authenticated attacker can drop arbitrary SAP database tables through the affected components. Successful exploitation deletes database entries permanently and can render the system unusable. The vulnerability does not permit attackers to read data, but the destructive impact on data integrity and availability is significant. The flaw is classified under [CWE-862] Missing Authorization. SAP addressed the issue on its June 2025 Security Patch Day through SAP Note #3606484.

Critical Impact

An authenticated attacker with low privileges can remotely drop arbitrary SAP database tables, causing irreversible data loss and potential business operations disruption.

Affected Products

• SAP Business Warehouse
• SAP Plug-In Basis
• SAP NetWeaver ABAP-based deployments containing the affected components

Discovery Timeline

• 2025-06-10 - CVE-2025-42983 published to NVD
• 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-42983

Vulnerability Analysis

The vulnerability resides in functionality exposed by SAP Business Warehouse and SAP Plug-In Basis that performs database table operations without verifying caller authorization. An authenticated user with low privileges can invoke the affected functions over the network to drop arbitrary SAP database tables. The result is permanent deletion of database entries, which directly impacts integrity and availability. The flaw does not expose data confidentiality, so attackers cannot read table contents, but the destructive nature creates conditions for sabotage, ransomware-style extortion, and prolonged outages. Because the scope is changed, the impact crosses authorization boundaries and affects components beyond the vulnerable module.

Root Cause

The defect is a Missing Authorization issue [CWE-862]. The affected SAP function modules execute privileged database operations without checking whether the authenticated caller is permitted to perform table-drop actions on the target objects. SAP authorization objects that should gate destructive Data Definition Language (DDL) operations are not enforced in the code path used by the vulnerable components.

Attack Vector

Exploitation requires network access to an SAP system and valid credentials with low privilege. After authentication, the attacker calls the exposed functionality—typically through Remote Function Call (RFC) interfaces, SAP GUI transactions, or background processing—passing the name of the target table. The system performs the drop without validating authorization, removing the table and its contents. The vulnerability requires no user interaction and no elevated privileges, lowering the barrier for malicious insiders or attackers who have phished or brute-forced standard SAP user credentials.

No verified public proof-of-concept is available. See the SAP Security Patch Day advisory for technical context.

Detection Methods for CVE-2025-42983

Indicators of Compromise

• Unexpected DROP TABLE statements recorded in SAP database audit logs, particularly affecting Business Warehouse tables.
• SAP Security Audit Log entries showing RFC function module calls from non-administrative users that result in DDL operations.
• Missing tables reported by application jobs, ABAP short dumps (DBIF_RSQL_TABLE_UNKNOWN), or BW process chain failures.
• Sudden spikes in change-document or transport activity from low-privilege accounts.

Detection Strategies

• Enable and review the SAP Security Audit Log (transaction SM19/SM20) for RFC calls and table-drop events tied to the vulnerable components.
• Correlate database-layer audit events with SAP user IDs to identify drops issued outside change windows or by accounts without DDL authorization.
• Hunt for anomalous RFC traffic patterns against Business Warehouse function groups from unusual source hosts.

Monitoring Recommendations

• Forward SAP Security Audit Log, gateway log, and database audit log entries to a centralized SIEM for retention and alerting.
• Alert on any DROP TABLE event executed by the SAP work process account when initiated by non-administrative users.
• Baseline normal Business Warehouse maintenance activity and trigger detections on deviations in time, volume, or originating user.

How to Mitigate CVE-2025-42983

Immediate Actions Required

• Apply SAP Note #3606484 to all SAP Business Warehouse and SAP Plug-In Basis systems, prioritizing production landscapes.
• Audit SAP user accounts and remove unnecessary RFC and Business Warehouse authorizations from non-administrative roles.
• Verify that database backups are current, tested, and stored offline to enable recovery if exploitation occurs.
• Restrict network access to SAP application servers so only required hosts and administrators can reach RFC and dispatcher ports.

Patch Information

SAP released the fix on its June 2025 Security Patch Day. The corrective code and prerequisite information are documented in SAP Note #3606484. Customers should review the note for component versions, support package levels, and manual pre- and post-implementation steps. Additional advisories are indexed on the SAP Security Patch Day portal.

Workarounds

• Where the patch cannot be applied immediately, restrict authorization objects covering the affected function modules so only trusted administrators can invoke them.
• Enforce strict RFC allow-listing using SAP Unified Connectivity (UCON) to block untrusted callers from reaching the vulnerable function groups.
• Disable or limit access to Business Warehouse maintenance transactions for general user roles until patching is complete.
• Increase logging verbosity on the SAP Security Audit Log and database audit trail to shorten detection time during the interim period.