Advisory
On 14.10.2025 a security relevant correction has been released by SAP SE. The manufacturer resolves an issue within Kernel.
SAP Note 3642021 addresses "[CVE-2025-42908] Cross-Site Request Forgery (CSRF) vulnerability in SAP NetWeaver Application Server for ABAP" to prevent cross-site request forgery (xsrf) with a medium risk for exploitation.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance, the team suggests.
Risk specification
SAP NetWeaver AS ABAP allows an authenticated attacker to initiate transactions directly through the session manager, bypassing the initial transaction screen and its associated authorization check. This could enable the attacker to perform actions and execute transactions that would normally require specific permissions.Solution
The vulnerability has been addressed by ensuring consistent handling of profile parameters related to CSRF protection and the logic for skipping the first screen.
The advisory is valid for
- KERNEL 7.53 51
- KERNEL 7.54 30
- KERNEL 7.77 48
- KERNEL 7.89 31
- KERNEL 7.93 25
- KERNEL 9.16 3
- KRNL64UC 7.53 51
- 9.9 [CVE-2021-33690] Server Side Request Forgery vulnerability in SAP NetWeaver Development Infrastructure (Component Build Service)
- 7.6 [CVE-2020-6275] Server Side Request Forgery vulnerability in SAP NetWeaver AS ABAP
- 6.8 [CVE-2025-24875] SameSite Defense in Depth not applied for some cookies in SAP Commerce
- 6.3 Cross-Site Request Forgery (CSRF) vulnerability in multiple SAP Sybase products
- 5.5 Cross-Site Request Forgery (CSRF) vulnerability in Cash Management
