CVE-2025-42904 is a medium-severity information disclosure vulnerability identified in SAP SE's Application Server ABAP. The vulnerability arises from missing password field masking in ABAP lists, which are used to display data within the SAP environment. Specifically, when password or sensitive fields are rendered in these lists, they are not properly masked, allowing authenticated users to see the actual values in clear text. This flaw is categorized under CWE-549, which refers to missing password masking, a common security oversight that can lead to exposure of sensitive credentials or confidential information. The affected SAP ABAP versions include KRNL64UC 7.53, KERNEL 7.53, 7.54, 7.77, 7.89, 7.93, 9.16, and 9.17, indicating a broad range of impacted releases. The vulnerability requires the attacker to have valid authentication credentials but does not require any user interaction, making it easier to exploit once access is obtained. The CVSS v3.1 base score is 6.5, reflecting a medium severity level primarily due to the high impact on confidentiality (C:H) while integrity and availability remain unaffected (I:N/A:N). The attack vector is network-based (AV:N) with low attack complexity (AC:L) and privileges required (PR:L). No known exploits have been reported in the wild as of the publication date. The vulnerability could lead to unauthorized disclosure of sensitive data, potentially including passwords or other confidential information displayed in ABAP lists, which could be leveraged for further attacks or data breaches. SAP customers should monitor SAP security advisories for patches and implement interim controls to limit exposure.

For European organizations, the impact of CVE-2025-42904 can be significant due to the widespread use of SAP Application Server ABAP in enterprise resource planning (ERP), finance, manufacturing, and critical infrastructure sectors. Unauthorized disclosure of sensitive data such as passwords or confidential business information could lead to further compromise, including lateral movement within networks or escalation of privileges. Although the vulnerability does not directly affect system integrity or availability, the confidentiality breach could undermine compliance with data protection regulations such as GDPR, resulting in legal and financial repercussions. Industries with high reliance on SAP systems, including automotive, manufacturing, energy, and public sector entities, may face increased risk. The requirement for authenticated access limits the threat to insiders or attackers who have already compromised credentials, but this does not diminish the risk posed by insider threats or credential theft. Additionally, the lack of user interaction needed for exploitation means attackers can automate data extraction once authenticated. The absence of known exploits in the wild currently reduces immediate risk but does not preclude future exploitation, especially as attackers often target SAP environments due to their critical business role.

1. Monitor SAP Security Notes and apply official patches promptly once released for the affected ABAP versions. 2. Restrict access to SAP Application Server ABAP lists to only trusted and necessary users by enforcing strict role-based access controls (RBAC). 3. Conduct regular audits of user privileges and remove or limit access for users who do not require it to reduce the attack surface. 4. Implement strong authentication mechanisms, including multi-factor authentication (MFA), to reduce the risk of credential compromise. 5. Enable logging and continuous monitoring of SAP system access and ABAP list views to detect unusual or unauthorized activity early. 6. Educate SAP administrators and users about the risks of exposing sensitive data in ABAP lists and encourage secure coding and configuration practices. 7. Consider deploying SAP Enterprise Threat Detection or similar tools to identify potential exploitation attempts. 8. Isolate SAP systems from general network access where possible, using network segmentation and firewalls to limit exposure. 9. Review and sanitize ABAP code or custom reports that may inadvertently display sensitive information unmasked. 10. Prepare incident response plans specific to SAP environments to quickly address any data disclosure incidents.