Description
Due to a Cross-Site Request Forgery (CSRF) vulnerability in SAP NetWeaver Application Server for ABAP, an authenticated attacker could initiate transactions directly via the session manager, bypassing the first transaction screen and the associated authorization check. This vulnerability could allow the attacker to perform actions and execute transactions that would normally require specific permissions, compromising the integrity and confidentiality of the system by enabling unauthorized access to restricted functionality. There is no impact to availability from this vulnerability.
References (2)
Core 2
Core References
Vendor Advisory
https://me.sap.com/notes/3642021
Vendor Advisory
https://url.sap/sapsecuritypatchday
Scores
CVSS v3
5.4
EPSS
0.0002
EPSS Percentile
6.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-352
Status
published
Products (7)
SAP_SE/SAP NetWeaver Application Server for ABAP
7.54
SAP_SE/SAP NetWeaver Application Server for ABAP
7.77
SAP_SE/SAP NetWeaver Application Server for ABAP
7.89
SAP_SE/SAP NetWeaver Application Server for ABAP
7.93
SAP_SE/SAP NetWeaver Application Server for ABAP
9.16
SAP_SE/SAP NetWeaver Application Server for ABAP
KERNEL 7.53
SAP_SE/SAP NetWeaver Application Server for ABAP
KRNL64UC 7.53
Published
Oct 14, 2025
Tracked Since
Feb 18, 2026