CVE-2025-23186: 
SAP NetWeaver Application Server ABAP vulnerability analysis and mitigation

In SAP NetWeaver Application Server ABAP, a Mixed Dynamic RFC Destination vulnerability (CVE-2025-23186) was identified that allows an authenticated attacker to craft a Remote Function Call (RFC) request to restricted destinations. This high-severity vulnerability, discovered and disclosed on April 8, 2025, received a CVSS v3.1 base score of 8.5 (NVD, GBHackers).

The vulnerability is classified as a Code Injection vulnerability (CWE-94) that affects SAP NetWeaver Application Server ABAP. It enables authenticated attackers to craft RFC requests to restricted destinations, potentially exposing credentials for remote services. The vulnerability has been assigned a CVSS v3.1 score of 8.5 (High) with the following vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H (NVD).

The exploitation of this vulnerability can lead to the exposure of credentials for remote services, which can be further exploited to completely compromise the remote service. This poses significant risks to the confidentiality, integrity, and availability of the application (NVD).

SAP has released security patches as part of their April 2025 Security Patch Day. Organizations are strongly urged to apply these fixes immediately by consulting SAP's Support Portal for detailed guidance (SecurityOnline).

The vulnerability was disclosed as part of SAP's April 2025 Patch Day, which included a total of 18 new Security Notes and 2 updates to previously released notes. The security community has emphasized the importance of promptly addressing this vulnerability along with other critical issues released in the same patch cycle (GBHackers).