A critical memory corruption vulnerability in SAP NetWeaver AS ABAP and the ABAP Platform (CVE-2025-42902) has been disclosed, enabling unauthenticated attackers to crash server processes by delivering malformed SAP Logon or SAP Assertion Tickets.
Rated Medium with a CVSS 3.1 score of 5.3, the flaw results from a NULL pointer dereference during ticket parsing, causing memory corruption and process termination.
SAP released its advisory and patches on October 14, 2025, urging administrators to apply updates immediately.
Vulnerability Overview
CVE-2025-42902 stems from insufficient validation of incoming SAP Logon Tickets and SAP Assertion Tickets.
When an application server receives a corrupted ticket, the parsing routine dereferences a NULL pointer, which leads to a crash of the ABAP work process.
Because the flaw requires no authentication or user interaction, it can be exploited remotely over the network, impacting availability through repeated ticket submissions that induce denial-of-service conditions. Confidentiality and integrity remain unaffected.
Affected versions span all supported releases from 7.22 through 9.16, covering various kernel builds for AS ABAP and ABAP Platform deployments.
SAP has confirmed that both standalone AS ABAP installations and broader ABAP Platform environments are impacted across multiple kernel and version builds.
| Field | Details |
|---|---|
| Product | SAP NetWeaver AS ABAP and ABAP Platform |
| Affected Versions | KRNL64NUC 7.22; 7.22EXT; KRNL64UC 7.22; 7.53; KERNEL 7.22; 7.54; 7.77; 7.89; 7.93; 9.14; 9.15; 9.16 |
| CVE ID | CVE-2025-42902 |
| CVSS 3.1 Score | 5.3 (Medium) |
The root cause of CVE-2025-42902 is a NULL Pointer Dereference (CWE-476) during ticket parsing.
The SAP application server anticipates a well-structured ticket object; however, malformed input leads to an unexpected NULL reference.
When the work process attempts to access memory at this NULL pointer, it triggers a crash.
In a typical attack scenario, an adversary crafts a malformed ticket payload and sends it via standard SAP logon interfaces. No valid SAP user credentials are required.
Each malformed ticket submission causes a work process to terminate; with sufficient parallel connections, the entire server instance may become unresponsive.
The following pseudocode illustrates the vulnerable sequence:
textreceive_ticket(payload):
ticket = parse_ticket(payload)
if ticket.header == NULL:
work_process.access(ticket.header) # NULL dereference
end if
continue_processing(ticket)
Unlike injection or authentication bypass vulnerabilities, this flaw relies purely on a memory safety error in ticket handling.
SAP published Security Note 3627308 and issued kernel and platform updates on its October 2025 patch day. Administrators should apply the provided patches without delay.
As a temporary workaround, organizations can disable external logon ticket acceptance on the SAP ICM component; however, this may disrupt legitimate federated logins.
In addition, network-level filtering of SAP interfaces and ensuring that SAProuter or Web Dispatcher is configured to permit only trusted sources can further reduce exposure.
Since no active exploitation of CVE-2025-42902 has been observed to date, proactive patching remains the optimal defense.
Regular security posture reviews and stringent network-level controls will help safeguard SAP environments against similar memory corruption vulnerabilities.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
%20(1).webp?resize=1600,900&ssl=1&description=Rated Medium with a CVSS 3.1 score of 5.3, the flaw results from a NULL pointer dereference during ticket parsing, causing memory corruption and process termination.){kind=link}