CVE-2025-42901 is a vulnerability classified under CWE-94 (Improper Control of Generation of Code) affecting the SAP Application Server for ABAP, specifically the BAPI Browser component. The flaw allows an authenticated attacker to inject and store malicious JavaScript code within the BAPI explorer interface. When legitimate users access this interface, the stored script executes in their browsers, resulting in a stored cross-site scripting (XSS) attack. This can lead to unauthorized disclosure of sensitive information (confidentiality impact) and potential manipulation of data or user sessions (integrity impact). The vulnerability does not affect system availability. The attacker must have valid credentials to exploit this issue, but no further user interaction (such as clicking a link) is required once the malicious code is stored. The vulnerability affects a wide range of SAP_BASIS versions from 700 to 816, indicating a long-standing and broadly deployed component is impacted. Despite the absence of known exploits in the wild, the vulnerability's presence in critical enterprise software necessitates attention. The CVSS 3.1 base score of 5.4 reflects a medium severity, with network attack vector, low attack complexity, and privileges required but no user interaction needed. The root cause is improper sanitization or validation of user input that allows malicious code to be stored and executed in a trusted context.

For European organizations, this vulnerability poses a moderate risk primarily to confidentiality and integrity of data processed through SAP systems. Exploitation could allow attackers to steal session tokens, harvest user credentials, or manipulate displayed data within the SAP GUI accessed via browsers. This can lead to unauthorized access to sensitive business information, financial data, or intellectual property. While availability is not impacted, the breach of confidentiality and integrity can disrupt business operations and compliance with data protection regulations such as GDPR. Organizations in sectors heavily reliant on SAP ERP systems—such as manufacturing, finance, utilities, and government—may face increased risk. The need for attacker authentication limits exposure somewhat, but insider threats or compromised credentials could facilitate exploitation. The broad range of affected SAP_BASIS versions means many European enterprises running legacy or unpatched SAP environments are vulnerable. The absence of known exploits currently provides a window for proactive mitigation before active attacks emerge.

European organizations should immediately assess their SAP Application Server for ABAP versions against the affected list (SAP_BASIS 700 through 816). Since no official patches are listed yet, organizations should implement compensating controls such as: 1) Restricting and monitoring access to the BAPI Browser functionality to trusted administrators only. 2) Enforcing strong authentication and session management policies to reduce risk of credential compromise. 3) Applying input validation and output encoding at the application layer where possible to prevent script injection. 4) Conducting regular security audits and code reviews of custom ABAP code interacting with BAPI explorer. 5) Educating users about the risks of stored XSS and encouraging cautious behavior when accessing SAP web interfaces. 6) Monitoring SAP logs and network traffic for unusual activity indicative of exploitation attempts. 7) Preparing to deploy vendor patches promptly once available. Additionally, organizations should consider isolating SAP web interfaces behind web application firewalls (WAFs) configured to detect and block XSS payloads. Maintaining up-to-date backups and incident response plans tailored to SAP environments will also aid in rapid recovery if exploitation occurs.