CVE-2025-42959 | THREATINT

Description

An unauthenticated attacker may exploit a scenario where a Hashed Message Authentication Code (HMAC) credential, extracted from a system missing specific security patches, is reused in a replay attack against a different system. Even if the target system is fully patched, successful exploitation could result in complete system compromise, affecting confidentiality, integrity, and availability.

PUBLISHED Reserved 2025-04-16 | Published 2025-07-08 | Updated 2026-02-26 | Assigner sap

HIGH: 8.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-308: Use of Single-factor Authentication

Product status

Default status

unaffected

SAP_BASIS 700

affected

SAP_BASIS 701

affected

SAP_BASIS 702

affected

SAP_BASIS 731

affected

SAP_BASIS 740

affected

SAP_BASIS 750

affected

SAP_BASIS 751

affected

SAP_BASIS 752

affected

SAP_BASIS 753

affected

SAP_BASIS 754

affected

SAP_BASIS 755

affected

SAP_BASIS 756

affected

SAP_BASIS 757

affected

SAP_BASIS 758

affected

SAP_BASIS 914

affected

SAP_BASIS 915

affected

References

me.sap.com/notes/3600846

url.sap/sapsecuritypatchday

cve.org (CVE-2025-42959)

nvd.nist.gov (CVE-2025-42959)

Download JSON