SAP ABAP CVE-2025-42929: Brief Summary of Arbitrary Database Table Deletion via Input Validation Flaw

This post provides a brief summary of CVE-2025-42929, a high-severity input validation flaw in SAP ABAP that allows privileged attackers to delete arbitrary database table content when authorization groups are not properly configured. Includes technical details, affected versions, and references to SAP advisories.
CVE Analysis

7 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-09-08

SAP ABAP CVE-2025-42929: Brief Summary of Arbitrary Database Table Deletion via Input Validation Flaw
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Attackers with privileged access to SAP ABAP reports can delete the content of arbitrary database tables if authorization groups are not properly configured. This vulnerability, tracked as CVE-2025-42929, directly threatens the integrity and availability of SAP-managed business data, with a CVSS score of 8.1. In large enterprise environments where SAP serves as the backbone for financial, operational, and compliance processes, such a flaw can result in significant business disruption and data loss.

SAP (Systems, Applications, and Products in Data Processing) is a global leader in enterprise resource planning and business software, with its ABAP (Advanced Business Application Programming) platform powering mission-critical applications for thousands of organizations worldwide. SAP's security posture is closely watched due to the platform's ubiquity and the sensitive nature of the data it manages.

Technical Information

CVE-2025-42929 is caused by missing input validation in the execution of ABAP reports. When a user with high privileges provides crafted input to a vulnerable ABAP report, the system does not properly validate the input type or content. This allows the attacker to specify arbitrary database tables as targets for deletion operations. The vulnerability is only exploitable if the targeted table is not protected by an authorization group, which is managed in SAP via the S_TABU_DIS authorization object.

The root cause is classified as CWE-1287 (Improper Validation of Specified Type of Input). The flaw allows attackers to bypass intended access controls by exploiting gaps in input validation logic. Exploitation requires prior compromise of a privileged account or insider access, as only users with sufficient ABAP report execution rights can leverage this issue. There are no public code snippets or proof of concept exploits available for this vulnerability.

Affected Systems and Versions

  • SAP ABAP environments where database tables are not protected by an authorization group
  • Only tables lacking authorization group assignment (including those assigned to the default "&NC&" group) are vulnerable
  • The vulnerability is present in any SAP system where ABAP reports process input without proper validation and where authorization group protections are missing
  • No specific SAP version numbers or product ranges are provided in the available advisories

Vendor Security History

SAP has experienced several high-profile vulnerabilities in recent years, notably CVE-2025-42957 (critical ABAP code injection, exploited in the wild) and CVE-2025-42950 (code injection in SAP Landscape Transformation). SAP's response typically includes coordinated disclosure, rapid patch release, and detailed security notes. The complexity of SAP's authorization and configuration frameworks means that misconfigurations or missing controls can result in significant security gaps, as demonstrated by recurring issues related to input validation and authorization enforcement.

References

Detect & fix
what others miss