CVE-2025-23186

{"id": "CVE-2025-23186", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "cna@sap.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.8}]}, "published": "2025-04-08T08:15:15.133", "references": [{"url": "https://me.sap.com/notes/3554667", "source": "cna@sap.com"}, {"url": "https://url.sap/sapsecuritypatchday", "source": "cna@sap.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "cna@sap.com", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "In certain conditions, SAP NetWeaver Application Server ABAP allows an authenticated attacker to craft a Remote Function Call (RFC) request to restricted destinations, which can be used to expose credentials for a remote service. These credentials can then be further exploited to completely compromise the remote service, potentially resulting in a significant impact on the confidentiality, integrity, and availability of the application."}, {"lang": "es", "value": "En ciertas circunstancias, SAP NetWeaver Application Server ABAP permite a un atacante autenticado manipular una solicitud de Remote Function Call (RFC) a destinos restringidos, que puede utilizarse para exponer las credenciales de un servicio remoto. Estas credenciales pueden explotarse posteriormente para comprometer completamente el servicio remoto, lo que podr\u00eda afectar significativamente la confidencialidad, la integridad y la disponibilidad de la aplicaci\u00f3n."}], "lastModified": "2025-04-08T18:13:53.347", "sourceIdentifier": "cna@sap.com"}