CVE-2025-0066

Critical

Published: 14 January 2025

Published

14 January 2025

Modified

23 October 2025

KEV Added

—

Patch

—

CVSS Score 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0009 26.0th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Under certain conditions SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework) allows an attacker to access restricted information due to weak access controls. This can have a significant impact on the confidentiality, integrity, and availability of an application

Security Summary

CVE-2025-0066 affects SAP NetWeaver AS for ABAP and ABAP Platform, specifically the Internet Communication Framework component. The vulnerability arises from weak access controls under certain conditions, enabling an attacker to access restricted information. This issue, published on 2025-01-14, carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and is linked to CWE-732 (Incorrect Permission Assignment for Critical Resource), with potential significant impacts on the confidentiality, integrity, and availability of affected applications.

An attacker with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. The high scope (S:C) amplifies the impact, allowing achievement of high confidentiality, integrity, and availability effects, potentially leading to full compromise of the targeted application.

SAP advisories provide mitigation guidance, including details in Note 3550708 (https://me.sap.com/notes/3550708) and the SAP Security Patch Day page (https://url.sap/sapsecuritypatchday). Security practitioners should review these references for applicable patches and remediation instructions.

Details

CWE(s): CWE-732

Affected Products

sap

sap basis

700, 701, 702, 731, 740

References

https://me.sap.com/notes/3550708
Permissions Required · cna@sap.com
https://url.sap/sapsecuritypatchday
Patch · cna@sap.com