A newly disclosed vulnerability in SAP NetWeaver AS ABAP and ABAP Platform (CVE-2025-42902) allows unauthenticated attackers to crash server processes by sending malformed SAP Logon or SAP Assertion Tickets.
Rated Medium severity with a 5.3 CVSS 3.1 score, the flaw stems from a NULL pointer dereference that triggers memory corruption and process termination.
Affected versions include all supported releases from 7.22 through 9.16. SAP released advisory notes and patches on October 14, 2025.
Vulnerability Overview
CVE-2025-42902 arises from insufficient validation of incoming SAP Logon Tickets and SAP Assertion Tickets.
When the application server processes a corrupted ticket, it dereferences a NULL pointer, leading to a crash of the ABAP work process.
| Field | Details |
| Product | SAP NetWeaver AS ABAP and ABAP Platform |
| Affected Versions | KRNL64NUC 7.22; 7.22EXT; KRNL64UC 7.22; 7.53; KERNEL 7.22; 7.54; 7.77; 7.89; 7.93; 9.14; 9.15; 9.16 |
| CVE ID | CVE-2025-42902 |
| CVSS 3.1 Score | 5.3 (MEDIUM) |
Since the flaw requires no authentication or user interaction, it can be exploited remotely over the network.
Although confidentiality and integrity remain intact, availability is impacted: repeated ticket submissions can cause denial-of-service conditions.
SAP confirmed the issue impacts both AS ABAP and the broader ABAP Platform across multiple kernel and version builds.
Technical Details
The underlying cause is a NULL Pointer Dereference (CWE-476) during ticket parsing.
The SAP application server expects a structured ticket object, but malformed input leads to an unexpected NULL reference. The work process attempts to access memory at this NULL pointer, resulting in a crash.
In a typical attack, an adversary crafts a malformed ticket payload and sends it via standard SAP logon interfaces.
No valid SAP user credentials are required. Each malformed ticket submission causes a work process to terminate; with enough parallel connections, the entire server instance may become unresponsive.
The following pseudocode outlines the vulnerable sequence:
receive_ticket(payload):
ticket = parse_ticket(payload)
if ticket.header == NULL:
work_process.access(ticket.header) # NULL dereference
end if
continue_processing(ticket)This flaw differs from typical injection or authentication bypass issues: it relies solely on a memory safety error in ticket handling.
SAP has published security note 3627308 and issued patches on its October 2025 patch day. Administrators should apply the provided kernel and platform updates immediately.
As a temporary workaround, organizations can block incoming ticket parsing by disabling external logon ticket acceptance on the SAP ICM component, though this may disrupt legitimate federated logins.
Because no exploitation has been publicly observed, proactive patching remains the best defense.
Regular security posture reviews and network-level filtering of SAP interfaces can further reduce risk. Ensuring SAProuter or Web Dispatcher is configured to allow only trusted sources will limit exposure.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
