CVE-2025-42941 is a security vulnerability identified in SAP Fiori Launchpad, specifically affecting SAP_UI version 754. The vulnerability is categorized under CWE-1022, which relates to the use of web links to untrusted targets with window.opener access, commonly known as a Reverse Tabnabbing vulnerability. This issue arises due to insufficient protections on external navigation links (<a> elements) within the SAP Fiori Launchpad interface. When a user clicks a link that opens a new tab or window, the newly opened page can manipulate the original page via the window.opener property if proper safeguards are not implemented. In this case, an attacker with administrative privileges can craft or leverage malicious or compromised pages to exploit this vulnerability. Notably, while administrative privileges are required to configure or introduce such malicious links, the actual exploitation does not require the victim user to have administrative rights. The attack could lead to unintended manipulation of user sessions or exposure of sensitive information, impacting the confidentiality and integrity of the system. However, the availability of the system remains unaffected. The CVSS v3.1 base score is 3.5, indicating a low severity level, reflecting the need for administrative privileges and user interaction to exploit the vulnerability, as well as the limited impact on availability. No known exploits are currently reported in the wild, and no patches have been linked yet.

For European organizations using SAP Fiori Launchpad (SAP_UI 754), this vulnerability poses a risk primarily to the confidentiality and integrity of sensitive business data and user sessions. Given SAP's widespread adoption across various industries in Europe, including manufacturing, finance, and public sector entities, exploitation could lead to unauthorized access or manipulation of critical business processes. The requirement for administrative privileges to set up malicious links limits the attack surface to insider threats or attackers who have already gained elevated access. However, once exploited, normal users could be targeted through crafted links, potentially leading to session hijacking or data leakage. The impact is particularly significant for organizations with complex SAP landscapes and multiple users accessing the Fiori Launchpad, as it could undermine trust in the system's security and lead to compliance issues under GDPR if personal data is exposed. Availability is not impacted, so operational disruptions are unlikely, but the breach of confidentiality and integrity could have regulatory and reputational consequences.

To mitigate this vulnerability, European organizations should implement the following specific measures: 1) Review and restrict administrative privileges to minimize the number of users who can configure or introduce external links in SAP Fiori Launchpad. 2) Apply strict input validation and sanitization on all external links to ensure they include the rel="noopener noreferrer" attribute, which prevents the window.opener property from being accessible to the linked page, thereby mitigating Reverse Tabnabbing risks. 3) Conduct regular security audits and code reviews of custom SAP Fiori applications and configurations to detect and remediate unsafe link usage. 4) Educate users about the risks of clicking on external links within the SAP environment, especially those that open new tabs or windows. 5) Monitor SAP system logs for unusual administrative activities related to link configurations. 6) Stay updated with SAP security advisories and apply patches or updates as soon as they become available. 7) Consider deploying web application firewalls (WAF) with rules to detect and block suspicious link manipulations or redirections within SAP web interfaces.