CVE-2025-23193
Published: 11 February 2025
Description
SAP NetWeaver Server ABAP allows an unauthenticated attacker to exploit a vulnerability that causes the server to respond differently based on the existence of a specified user, potentially revealing sensitive information. This issue does not enable data modification and has no impact on server availability.
Security Summary
CVE-2025-23193 is an information disclosure vulnerability in SAP NetWeaver Server ABAP. It allows an unauthenticated attacker to exploit differences in server responses based on the existence of a specified user, potentially revealing sensitive information about valid usernames. The issue is classified under CWE-204 (Observable Response Discrepancy) and carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), indicating medium severity with low confidentiality impact and no effects on integrity or availability.
An unauthenticated attacker with network access to the SAP NetWeaver Server ABAP can exploit this vulnerability remotely with low complexity and no user interaction required. By sending crafted requests specifying particular users, the attacker can enumerate valid user accounts through observable differences in server responses, aiding further attacks like credential guessing, but without enabling data modification or service disruption.
SAP advisories provide mitigation details, including a security note at https://me.sap.com/notes/3561264 and patches released as part of SAP Security Patch Day at https://url.sap/sapsecuritypatchday. Security practitioners should apply these updates promptly to affected systems.
Details
- CWE(s)