CVE-2025-42903— User Enumeration and Sensitive Data Exposure via RFC Function in SAP Financial Service Claims Management
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-42903
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
User Enumeration and Sensitive Data Exposure via RFC Function in SAP Financial Service Claims Management
Source: NVD (National Vulnerability Database)
Vulnerability Description
A vulnerability in SAP Financial Service Claims Management RFC function ICL_USER_GET_NAME_AND_ADDRESS allows user enumeration and potential disclosure of personal data through response discrepancies, causing low impact on confidentiality with no impact on integrity or availability.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
响应差异性信息暴露
Source: NVD (National Vulnerability Database)
Vulnerability Title
SAP Financial Service Claims Management 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
SAP Financial Service Claims Management是德国思爱普(SAP)公司的一个金融服务网络平台。 SAP Financial Service Claims Management存在安全漏洞,该漏洞源于ICL_USER_GET_NAME_AND_ADDRESS RFC函数存在响应差异,可能导致用户枚举和个人数据泄露。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| SAP_SE | SAP Financial Service Claims Management | INSURANCE 803 | - |
II. Public POCs for CVE-2025-42903
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-42903
请登录查看更多情报信息。
Same Patch Batch · SAP_SE · 2025-10-14 · 9 CVEs total
| CVE-2025-42937 | 9.8 CRITICAL | Directory Traversal vulnerability in SAP Print Service |
| CVE-2025-42910 | 9.0 CRITICAL | Unrestricted File Upload Vulnerability in SAP Supplier Relationship Management |
| CVE-2025-42901 | 5.4 MEDIUM | Code Injection vulnerability in SAP Application Server for ABAP (BAPI Browser) |
| CVE-2025-42908 | 5.4 MEDIUM | Cross-Site Request Forgery (CSRF) vulnerability in SAP NetWeaver Application Server for AB |
| CVE-2025-42902 | 5.3 MEDIUM | Memory Corruption vulnerability in SAP Netweaver AS ABAP and ABAP Platform |
| CVE-2025-42906 | 5.3 MEDIUM | Directory Traversal vulnerability in SAP Commerce Cloud |
| CVE-2025-42939 | 4.3 MEDIUM | Missing Authorization Check in SAP S/4HANA (Manage Processing Rules - For Bank Statements) |
| CVE-2025-42909 | 3.0 LOW | Security Misconfiguration vulnerability in SAP Cloud Appliance Library Appliances |
IV. Related Vulnerabilities
Same vendor: SAP_SE
- CVE-2026-34264
Information Disclosure vulnerability in SAP Human Capital Ma - CVE-2026-34262
Information Disclosure Vulnerability in SAP HANA Cockpit and - CVE-2026-34261
Missing Authorization check in SAP Business Analytics and SA - CVE-2026-34257
Open Redirect vulnerability in SAP NetWeaver Application Ser - CVE-2026-34256
Missing Authorization check in SAP ERP and SAP S/4 HANA (Pri
Same weakness: CWE-204
- CVE-2026-8242
Industrial Application Software IAS Canias ERP Login RMI doA - CVE-2026-20195
Cisco Identity Services Engine Observable Response Discrepan - CVE-2026-24468
OpenAEV Vulnerable to Username/Email Enumeration Through Dif - CVE-2026-34264
Information Disclosure vulnerability in SAP Human Capital Ma - CVE-2026-4113
SonicWALL SMA1000 安全漏洞
V. Comments for CVE-2025-42903
No comments yet