CVE-2025-42974 is a medium-severity vulnerability affecting SAP NetWeaver and ABAP Platform (specifically the SDCCN component) versions ST-PI 2008_1_700, 2008_1_710, and 740. The root cause is a missing authorization check (CWE-862) in a remote-enabled function module. This flaw allows an attacker who is authenticated as a non-administrative user to invoke this function module without proper permission validation. As a result, the attacker can access information that should normally be restricted. The vulnerability does not impact data integrity or system availability, limiting its effect primarily to confidentiality. The CVSS v3.1 score is 4.3, reflecting a network attack vector with low complexity, requiring low privileges but no user interaction, and resulting in limited confidentiality impact. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability is significant because SAP NetWeaver and ABAP platforms are widely used enterprise resource planning (ERP) and business process platforms, often containing sensitive corporate data. Unauthorized information disclosure could aid attackers in reconnaissance or further attacks, especially in environments where users have limited privileges but still hold access to sensitive business data. The vulnerability’s exploitation requires valid credentials but no administrative privileges, which lowers the barrier for insider threats or compromised user accounts to escalate information access beyond their authorization.

For European organizations, this vulnerability poses a risk of unauthorized information disclosure within SAP environments, potentially exposing sensitive business data, customer information, or intellectual property. Given SAP’s extensive adoption across European industries such as manufacturing, finance, retail, and public sector, unauthorized data access could lead to competitive disadvantage, regulatory compliance issues (e.g., GDPR violations), and reputational damage. Although the impact on integrity and availability is null, the confidentiality breach could facilitate further attacks, including social engineering or privilege escalation. Organizations with complex SAP landscapes and multiple user roles may face challenges in detecting misuse of this vulnerability. The medium severity suggests a moderate risk, but the widespread use of SAP in Europe and the critical nature of data processed by these systems amplify the potential consequences. Additionally, the lack of current exploits provides a window for proactive mitigation before active exploitation occurs.

European organizations should implement the following specific measures: 1) Conduct a thorough review of user privileges and roles within SAP NetWeaver and ABAP platforms to ensure least privilege principles are enforced, minimizing the number of users with access to vulnerable function modules. 2) Apply SAP security notes and patches as soon as they become available for the affected versions, even if no exploits are currently known. 3) Enable and monitor detailed logging and auditing of remote-enabled function module calls, focusing on unusual access patterns by non-administrative users. 4) Use SAP’s built-in authorization trace tools (e.g., ST01) to detect unauthorized or suspicious function calls. 5) Implement network segmentation and access controls to restrict SAP system access only to trusted users and systems. 6) Educate SAP administrators and security teams about this vulnerability to improve detection and response capabilities. 7) Consider deploying compensating controls such as application-level encryption or masking for particularly sensitive data accessible via these function modules. These steps go beyond generic advice by focusing on SAP-specific tools, user privilege hygiene, and proactive monitoring tailored to the vulnerability’s characteristics.