CVE-2025-0063

High

Published: 14 January 2025

Published

14 January 2025

Modified

24 October 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0018 39.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

SAP NetWeaver AS ABAP and ABAP Platform does not check for authorization when a user executes some RFC function modules. This could lead to an attacker with basic user privileges to gain control over the data in Informix database, leading to complete compromise of confidentiality, integrity and availability.

Security Summary

CVE-2025-0063 is a high-severity vulnerability (CVSS 8.8, CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) in SAP NetWeaver AS ABAP and ABAP Platform, published on 2025-01-14. It stems from a failure to perform authorization checks when users execute certain RFC function modules (CWE-89), enabling unauthorized access and control over data in the underlying Informix database, which can result in full compromise of confidentiality, integrity, and availability.

The vulnerability can be exploited by an attacker possessing basic user privileges over the network with low attack complexity and no user interaction required. Successful exploitation grants the attacker complete control over Informix database data, allowing arbitrary read, modification, or deletion operations that undermine the system's core security properties.

Mitigation guidance is provided in SAP Note 3550816 and on the SAP Security Patch Day page at the referenced URLs, which detail patches and remediation steps for affected systems.

Details

CWE(s): CWE-89

Affected Products

sap

sap basis

700, 701, 702, 731, 740

References

https://me.sap.com/notes/3550816
Permissions Required · cna@sap.com
https://url.sap/sapsecuritypatchday
Patch · cna@sap.com