CVE-2025-42909— Security Misconfiguration vulnerability in SAP Cloud Appliance Library Appliances
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-42909
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Security Misconfiguration vulnerability in SAP Cloud Appliance Library Appliances
Source: NVD (National Vulnerability Database)
Vulnerability Description
SAP Cloud Appliance Library Appliances allows an attacker with high privileges to leverage an insecure S/4HANA default profile setting in an existing SAP CAL appliances to gain access to other appliances. This has low impact on confidentiality of the application, integrity and availability is not impacted.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
没有’HttpOnly’标志的敏感Cookie
Source: NVD (National Vulnerability Database)
Vulnerability Title
SAP Cloud Appliance Library Appliances 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
SAP Cloud Appliance Library Appliances是德国思爱普(SAP)公司的一个云端镜像与系统部署平台。 SAP Cloud Appliance Library Appliances存在安全漏洞,该漏洞源于S/4HANA默认配置文件设置不安全,可能导致攻击者访问其他设备。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| SAP_SE | SAP Cloud Appliance Library Appliances | TITANIUM_WEBAPP 4.0 | - |
II. Public POCs for CVE-2025-42909
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-42909
请登录查看更多情报信息。
Same Patch Batch · SAP_SE · 2025-10-14 · 9 CVEs total
| CVE-2025-42937 | 9.8 CRITICAL | Directory Traversal vulnerability in SAP Print Service |
| CVE-2025-42910 | 9.0 CRITICAL | Unrestricted File Upload Vulnerability in SAP Supplier Relationship Management |
| CVE-2025-42901 | 5.4 MEDIUM | Code Injection vulnerability in SAP Application Server for ABAP (BAPI Browser) |
| CVE-2025-42908 | 5.4 MEDIUM | Cross-Site Request Forgery (CSRF) vulnerability in SAP NetWeaver Application Server for AB |
| CVE-2025-42902 | 5.3 MEDIUM | Memory Corruption vulnerability in SAP Netweaver AS ABAP and ABAP Platform |
| CVE-2025-42906 | 5.3 MEDIUM | Directory Traversal vulnerability in SAP Commerce Cloud |
| CVE-2025-42903 | 4.3 MEDIUM | User Enumeration and Sensitive Data Exposure via RFC Function in SAP Financial Service Cla |
| CVE-2025-42939 | 4.3 MEDIUM | Missing Authorization Check in SAP S/4HANA (Manage Processing Rules - For Bank Statements) |
IV. Related Vulnerabilities
Same vendor: SAP_SE
- CVE-2026-34264
Information Disclosure vulnerability in SAP Human Capital Ma - CVE-2026-34262
Information Disclosure Vulnerability in SAP HANA Cockpit and - CVE-2026-34261
Missing Authorization check in SAP Business Analytics and SA - CVE-2026-34257
Open Redirect vulnerability in SAP NetWeaver Application Ser - CVE-2026-34256
Missing Authorization check in SAP ERP and SAP S/4 HANA (Pri
Same weakness: CWE-1004
- CVE-2026-42239
Budibase auth session cookies are set with httpOnly:false — - CVE-2026-0696
Session Cookies Missing HttpOnly Attribute - CVE-2026-22081
Cookie without HTTPOnly Flag Vulnerability in Tenda Wireless - CVE-2025-12031
HTTP Security Misconfiguration - Lacking Secure and HTTPOnly - CVE-2025-27453
CVE-2025-27453
V. Comments for CVE-2025-42909
No comments yet