CVE-2025-31329: 
SAP NetWeaver Application Server ABAP vulnerability analysis and mitigation

SAP NetWeaver was found to be vulnerable to an Information Disclosure vulnerability (CVE-2025-31329), discovered and disclosed on May 12, 2025. The vulnerability affects SAP NetWeaver Application Server ABAP and has been assigned a CVSS v3.1 base score of 6.2 (MEDIUM). The vulnerability stems from the injection of malicious instructions into user configuration settings (NVD, Wiz).

The vulnerability is classified as CWE-141 (Improper Neutralization of Parameter/Argument Delimiters). The CVSS v3.1 vector string is CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N, indicating network accessibility, low attack complexity, high privileges required, user interaction required, and high impact on confidentiality with no impact on integrity or availability (NVD, Wiz).

The vulnerability enables an attacker with administrative privileges to craft malicious instructions that, when accessed by the victim, expose sensitive information such as user credentials. These exposed credentials can potentially be used to gain unauthorized access to local or adjacent systems. The impact is primarily on confidentiality, with no significant effect on integrity or availability (NVD, Wiz).

SAP has released security patches to address this vulnerability. Users are advised to apply the available updates as detailed in the SAP security advisory (SAP Security, SAP Note).