CVE-2025-42945: 
SAP NetWeaver Application Server ABAP vulnerability analysis and mitigation

SAP NetWeaver Application Server ABAP contains an HTML injection vulnerability identified as CVE-2025-42945. The vulnerability was discovered and disclosed on August 11, 2025. This security flaw affects the NetWeaver Application Server ABAP platform, allowing attackers to craft malicious URLs containing script payloads that can be executed when accessed by users with active sessions (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. This indicates that the vulnerability can be exploited remotely (AV:N) with low attack complexity (AC:L), requires no privileges (PR:N), but does need user interaction (UI:R). The scope is changed (S:C), with low impacts on confidentiality (C:L) and integrity (I:L), and no impact on availability (A:N). The vulnerability is classified as CWE-94 (Improper Control of Generation of Code) (NVD).

Upon successful exploitation, this vulnerability could lead to limited access to data or its manipulation. The vulnerability affects data confidentiality and integrity but has no impact on system availability. The attack requires an active user session to be exploited, potentially allowing attackers to access or modify sensitive information (NVD, Cybersecurity News).

SAP has addressed this vulnerability as part of their August 2025 Security Patch Day updates. Organizations running affected SAP NetWeaver Application Server ABAP systems should immediately apply the security patches available through the SAP Support Portal (Cybersecurity News).

The vulnerability was disclosed as part of SAP's August 2025 Security Patch Day, which addressed a total of 15 vulnerabilities across various SAP products. This HTML injection vulnerability was classified as medium severity among the other security issues patched in this release (Cybersecurity News).