CVE-2025-42903 identifies a vulnerability in SAP Financial Service Claims Management, specifically within the remote function call (RFC) ICL_USER_GET_NAME_AND_ADDRESS. This function exhibits an observable response discrepancy that allows an attacker with low-level privileges to perform user enumeration and potentially disclose limited personal data. The vulnerability falls under CWE-204 (Observable Response Discrepancy), where differences in system responses can be used to infer sensitive information. The affected SAP versions include INSURANCE 803 to 806 and S4CEXT 107 to 109. Exploitation requires network access and low privileges but no user interaction, making it feasible for insiders or attackers with limited access to gather intelligence. The impact is confined to confidentiality, with no integrity or availability consequences. No public exploits or patches are currently available, indicating the vulnerability is newly disclosed and not yet actively exploited. The CVSS 3.1 score of 4.3 reflects the medium severity, considering the ease of exploitation but limited impact scope. The vulnerability is particularly relevant for organizations relying on SAP Financial Service Claims Management modules, as it could facilitate targeted reconnaissance or social engineering by revealing user existence and partial personal data.

For European organizations, especially those in the insurance and financial sectors using SAP Financial Service Claims Management, this vulnerability poses a risk of user enumeration and limited personal data exposure. While the confidentiality impact is low, the information gained could aid attackers in crafting targeted phishing campaigns or further attacks. There is no direct impact on system integrity or availability, so operational disruption is unlikely. However, the exposure of personal data could lead to regulatory compliance issues under GDPR, potentially resulting in fines or reputational damage. The vulnerability could be exploited by malicious insiders or external attackers who have gained low-level access to the network. Given the widespread use of SAP in Europe’s financial services industry, the vulnerability could be leveraged for reconnaissance in preparation for more severe attacks.

To mitigate this vulnerability, organizations should implement strict access controls on the RFC function ICL_USER_GET_NAME_AND_ADDRESS, limiting its use to authorized personnel and systems only. Network segmentation should be employed to restrict access to SAP Financial Service Claims Management components. Monitoring and logging of RFC calls should be enhanced to detect unusual or repeated queries indicative of user enumeration attempts. Organizations should apply SAP security notes and patches promptly once available. Additionally, employing SAP’s security audit tools to review permissions and function usage can help identify and remediate excessive privileges. Training staff to recognize and report suspicious activity related to SAP systems is also recommended. Finally, organizations should review and update their incident response plans to include scenarios involving reconnaissance and data disclosure vulnerabilities.