CVE-2025-42901 is a vulnerability classified under CWE-94 (Improper Control of Generation of Code) affecting the SAP Application Server for ABAP, specifically the BAPI Browser component. This flaw allows an authenticated attacker to inject and store malicious JavaScript payloads within the BAPI explorer interface. When a legitimate user accesses the compromised functionality, the stored script executes in their browser context, leading to potential cross-site scripting (XSS) attacks. The vulnerability arises from insufficient sanitization or validation of user-supplied input that is later rendered in the browser without proper encoding or filtering. The attack vector requires the attacker to have valid credentials (low privilege) but does not require further user interaction to trigger the payload. The impact primarily concerns confidentiality and integrity, as the attacker could steal session tokens, manipulate displayed data, or perform unauthorized actions on behalf of the victim user. Availability is not affected. The vulnerability affects a wide range of SAP_BASIS versions from 700 to 816, indicating a long-standing issue across multiple SAP releases. The CVSS 3.1 base score of 5.4 reflects a medium severity due to network attack vector, low attack complexity, required privileges, and no user interaction. No public exploits have been reported yet, but the presence of stored XSS in a critical enterprise application poses a significant risk if weaponized. SAP has not yet published patches or mitigations at the time of this report.

For European organizations, this vulnerability poses a moderate risk primarily to the confidentiality and integrity of SAP ERP data and user sessions. Exploitation could lead to session hijacking, unauthorized data manipulation, or phishing attacks leveraging the trusted SAP interface. Given SAP's widespread use in European industries such as manufacturing, finance, utilities, and public sector, successful exploitation could disrupt business processes and lead to data breaches. Although availability is unaffected, the loss of data integrity and confidentiality could result in regulatory non-compliance, reputational damage, and financial losses. The requirement for attacker authentication limits exposure but insider threats or compromised credentials could be leveraged. Organizations with extensive SAP landscapes and remote access to SAP portals are particularly vulnerable. The lack of known exploits currently reduces immediate risk but proactive remediation is critical to prevent future attacks.

1. Apply SAP security patches immediately once available for the affected SAP_BASIS versions to remediate the vulnerability. 2. Enforce strict access controls and least privilege principles for SAP user accounts to reduce the risk of attacker authentication. 3. Implement multi-factor authentication (MFA) for SAP access to mitigate credential compromise risks. 4. Conduct thorough input validation and output encoding in custom SAP developments and extensions to prevent injection of malicious scripts. 5. Monitor SAP logs and user activities for unusual behavior indicative of exploitation attempts. 6. Educate SAP users about phishing and social engineering risks to reduce the likelihood of credential theft. 7. Restrict browser-based access to SAP BAPI explorer functionality to trusted networks or VPNs to limit exposure. 8. Use web application firewalls (WAF) with rules targeting XSS payloads in SAP web interfaces. 9. Regularly review and update SAP security configurations and perform vulnerability assessments. 10. Coordinate with SAP support and security advisories for updates and best practices.