CVE-2025-42959
HIGHSAP NetWeaver ABAP Server and ABAP Platform - Unauthenticated Replay Attack via HMAC Credential Reuse
Title source: llmDescription
An unauthenticated attacker may exploit a scenario where a Hashed Message Authentication Code (HMAC) credential, extracted from a system missing specific security patches, is reused in a replay attack against a different system. Even if the target system is fully patched, successful exploitation could result in complete system compromise, affecting confidentiality, integrity, and availability.
References (2)
Core 2
Core References
Vendor Advisory
https://me.sap.com/notes/3600846
Vendor Advisory
https://url.sap/sapsecuritypatchday
Scores
CVSS v3
8.1
EPSS
0.0022
EPSS Percentile
44.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-308
Status
published
Products (16)
SAP_SE/SAP NetWeaver ABAP Server and ABAP Platform
SAP_BASIS 700
SAP_SE/SAP NetWeaver ABAP Server and ABAP Platform
SAP_BASIS 701
SAP_SE/SAP NetWeaver ABAP Server and ABAP Platform
SAP_BASIS 702
SAP_SE/SAP NetWeaver ABAP Server and ABAP Platform
SAP_BASIS 731
SAP_SE/SAP NetWeaver ABAP Server and ABAP Platform
SAP_BASIS 740
SAP_SE/SAP NetWeaver ABAP Server and ABAP Platform
SAP_BASIS 750
SAP_SE/SAP NetWeaver ABAP Server and ABAP Platform
SAP_BASIS 751
SAP_SE/SAP NetWeaver ABAP Server and ABAP Platform
SAP_BASIS 752
SAP_SE/SAP NetWeaver ABAP Server and ABAP Platform
SAP_BASIS 753
SAP_SE/SAP NetWeaver ABAP Server and ABAP Platform
SAP_BASIS 754
... and 6 more
Published
Jul 08, 2025
Tracked Since
Feb 18, 2026