CVE-2025-42986 is a medium-severity vulnerability affecting multiple versions of SAP BASIS within the SAP NetWeaver and ABAP Platform. The root cause is a missing authorization check in an obsolete Remote Function Call (RFC) enabled function module. This flaw allows an authenticated attacker with low privileges to invoke this RFC and potentially access restricted system information that should otherwise be protected. The vulnerability does not impact the integrity or availability of the system, but it does pose a risk to confidentiality by exposing sensitive information. The affected SAP BASIS versions range from 700 through 754, covering a broad spectrum of SAP NetWeaver deployments. Exploitation requires the attacker to have some level of authenticated access, but no user interaction is needed beyond that. The CVSS 3.1 base score is 4.3, reflecting a low complexity attack vector (network), low attack complexity, and limited impact confined to confidentiality. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability is classified under CWE-862, indicating missing authorization, which is a common security weakness where access controls are insufficient or absent, allowing unauthorized access to resources or functions.

For European organizations, the impact primarily concerns confidentiality breaches within SAP environments. SAP systems are widely used across Europe in sectors such as manufacturing, finance, utilities, and public administration, often containing sensitive business data and personally identifiable information (PII). Although the vulnerability does not affect system integrity or availability, unauthorized access to restricted system information could facilitate further reconnaissance or targeted attacks. This could lead to data leakage, compliance violations (e.g., GDPR), and erosion of trust. Given the requirement for authenticated access, the threat is somewhat mitigated by existing access controls, but insider threats or compromised credentials could be leveraged to exploit this vulnerability. Organizations relying heavily on SAP NetWeaver and ABAP platforms, especially those running the affected SAP BASIS versions, are at risk of information disclosure that could aid attackers in planning more damaging intrusions.

European organizations should prioritize the following mitigation steps: 1) Conduct an immediate inventory of SAP BASIS versions in use to identify affected systems. 2) Restrict access to SAP systems by enforcing strong authentication mechanisms, including multi-factor authentication (MFA), to reduce the risk of credential compromise. 3) Review and tighten RFC permissions, especially for obsolete or rarely used function modules, to ensure that only authorized users can invoke sensitive RFC calls. 4) Implement SAP security notes and patches as soon as they become available from SAP, even though no patch links are currently provided. 5) Monitor SAP system logs and network traffic for unusual RFC call patterns that could indicate exploitation attempts. 6) Conduct regular security audits and penetration testing focused on SAP environments to detect missing authorization issues proactively. 7) Educate SAP administrators and users about the risks of low-privileged access and the importance of safeguarding credentials.