CVE-2025-31325 is a Cross-Site Scripting (XSS) vulnerability identified in SAP NetWeaver, specifically within the ABAP Keyword Documentation component of SAP_BASIS version 758. The vulnerability arises due to improper neutralization of input during web page generation, classified under CWE-79. An unauthenticated attacker can exploit this flaw by injecting malicious JavaScript code into a web page through an unprotected parameter. When a legitimate user accesses the compromised page, the injected script executes in their browser context. This execution allows the attacker to access limited restricted information available in the client’s browser session. Importantly, the vulnerability does not impact the integrity or availability of the SAP system itself, as the attack is confined to the client-side browser environment. The CVSS v3.1 base score is 5.8 (medium severity), reflecting the network attack vector, low attack complexity, no privileges or user interaction required, and a scope change due to the client-side impact. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability’s exploitation is limited to information disclosure within the browser context and does not allow direct system compromise or data manipulation on the server side.

For European organizations using SAP NetWeaver with the affected SAP_BASIS 758 version, this vulnerability poses a risk primarily to confidentiality at the client level. Attackers could leverage this XSS flaw to steal session tokens, cookies, or other sensitive information accessible via the browser, potentially enabling further attacks such as session hijacking or phishing. While the vulnerability does not affect system integrity or availability, the exposure of sensitive session data could lead to unauthorized access to SAP applications, which are often critical for enterprise resource planning and business operations. Given SAP’s widespread use across European industries including manufacturing, finance, and public sector, the risk of targeted attacks exploiting this vulnerability to gain footholds or escalate privileges is non-negligible. However, the lack of required authentication and user interaction lowers the barrier for exploitation, increasing the threat surface. The impact is more pronounced in environments where users access SAP NetWeaver portals through web browsers without additional security controls such as Content Security Policy (CSP) or Web Application Firewalls (WAFs).

European organizations should prioritize the following mitigations: 1) Immediate review and restriction of web parameters exposed by the ABAP Keyword Documentation interface to ensure no untrusted input is directly rendered without proper encoding or sanitization. 2) Implement robust input validation and output encoding on all web interfaces, particularly those serving dynamic content. 3) Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing SAP NetWeaver portals. 4) Utilize Web Application Firewalls (WAFs) with rules tuned to detect and block typical XSS payloads targeting SAP web components. 5) Monitor SAP security advisories closely for official patches or hotfixes and apply them promptly once available. 6) Educate users about the risks of clicking on suspicious links or accessing SAP portals from untrusted networks. 7) Conduct regular security assessments and penetration tests focusing on SAP web interfaces to detect similar injection flaws. These targeted actions go beyond generic advice by focusing on the specific SAP component and the nature of the vulnerability.