CVE-2025-42891 is a vulnerability identified in SAP Enterprise Search for ABAP, specifically due to a missing authorization check (CWE-862). This flaw allows an attacker possessing high-level privileges within the SAP environment to bypass intended access controls and read or export the contents of database tables by generating ABAP reports. The vulnerability affects SAP_BASIS versions 752 through 816, which are widely deployed in enterprise environments. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), and no user interaction (UI:N), but does require privileges (PR:H). The impact primarily compromises confidentiality (C:H) with a lesser effect on integrity (I:L), and no impact on availability (A:N). This means sensitive business data stored in SAP databases can be exposed or extracted without proper authorization checks, potentially leading to data breaches or leakage of proprietary information. Although no exploits are currently known in the wild, the vulnerability's presence in critical SAP components necessitates prompt attention. The vulnerability does not disrupt system operations but undermines trust in data security and compliance. SAP has not yet released patches, so organizations must rely on compensating controls until updates are available.

For European organizations, the impact of CVE-2025-42891 is significant due to the widespread use of SAP ERP systems across industries such as manufacturing, finance, utilities, and public sector. The ability for an attacker with high privileges to export sensitive database contents threatens confidentiality of critical business data, intellectual property, and personal data protected under GDPR. This could lead to regulatory penalties, reputational damage, and financial losses. Although integrity impact is low, unauthorized data exports can facilitate further attacks or insider threats. Availability is unaffected, so operational disruption is unlikely. However, the breach of confidentiality alone can have severe consequences, especially for organizations handling sensitive customer or strategic data. The requirement for high privileges limits exploitation to insiders or compromised accounts, but this does not eliminate risk given the complexity of SAP environments and potential privilege escalations. Organizations in sectors with strict data protection requirements or those targeted by advanced persistent threats (APTs) must prioritize addressing this vulnerability.

1. Monitor and restrict SAP user privileges rigorously, ensuring that only trusted administrators have high-level access to SAP_BASIS components and Enterprise Search functionalities. 2. Implement strict segregation of duties to minimize the risk of privilege abuse. 3. Audit ABAP report generation logs regularly to detect unusual or unauthorized data export activities. 4. Apply SAP security notes and patches promptly once released for the affected SAP_BASIS versions. 5. Employ SAP’s standard authorization concepts to enforce granular access controls on Enterprise Search and database tables. 6. Use SAP’s Security Audit Log and System Change Logging to track changes and access attempts related to Enterprise Search. 7. Consider deploying additional data loss prevention (DLP) solutions integrated with SAP to detect and block unauthorized data exports. 8. Conduct regular security assessments and penetration tests focusing on SAP authorization configurations. 9. Educate SAP administrators and users about the risks of privilege misuse and the importance of secure configuration. 10. If patching is delayed, consider temporary disabling or restricting Enterprise Search features that allow report exports until a fix is applied.