Introduction
Deletion of business-critical data from SAP systems can halt operations and trigger costly recovery efforts. CVE-2025-42916 exposes a path for privileged attackers to delete the contents of arbitrary database tables in SAP environments when authorization groups are not properly configured. This brief summary highlights the technical mechanism, affected configurations, and SAP's security history relevant to this vulnerability.
SAP SE is the largest enterprise software provider globally, with over 440,000 customers and a dominant presence in ERP, CRM, and business intelligence. SAP's ABAP stack underpins many core business processes and is a frequent target for security research and attacks due to its complexity and centrality in enterprise IT.
Technical Information
CVE-2025-42916 is caused by missing input validation in SAP ABAP reports. ABAP reports typically accept user-supplied parameters that control data selection and processing logic. If these parameters are not properly validated, a user with high privileges can supply crafted input to trigger deletion operations on database tables. The vulnerability is only exploitable if the targeted table is not protected by an authorization group.
Authorization groups in SAP are implemented using the S_TABU_DIS authorization object and the DICBERCLS field. Administrators assign tables to authorization groups via transaction SE54. If a table is not assigned to any group, access controls may be bypassed, allowing destructive operations through vulnerable ABAP reports. The vulnerability is classified under CWE-1287 (Improper Validation of Specified Type of Input). No public code snippets or proof of concept are available for this issue.
Affected Systems and Versions
- SAP systems running ABAP reports where database tables are not protected by authorization groups
- The vulnerability is not present if all tables are assigned to authorization groups
- No specific product versions or ranges are listed in public advisories as of this writing
- Only configurations lacking proper authorization group protection are vulnerable
Vendor Security History
SAP has a recurring history of critical vulnerabilities in its ABAP stack, including:
- CVE-2025-42957: ABAP code injection in SAP S/4HANA
- CVE-2025-42951: Authorization bypass in SAP Business One SLD
- Multiple input validation and authorization flaws addressed in recent monthly patch cycles
SAP maintains a monthly patch release schedule and collaborates with external researchers, but the frequency of critical ABAP and authorization issues highlights ongoing challenges in secure development and configuration.