CVE-2025-0066

Critical

Published: 14 January 2025

Published

14 January 2025

Modified

23 October 2025

KEV Added

—

Patch

—

CVSS Score 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0009 26.0th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0066 is a critical-severity Incorrect Permission Assignment for Critical Resource (CWE-732) vulnerability in Sap Sap Basis. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Directly enforces approved authorizations for access to information and resources, addressing the weak access controls that enable unauthorized access to restricted information in SAP NetWeaver ICF.

AC-6 Least Privilege good match

prevent

Employs least privilege to restrict access to only necessary permissions, mitigating CWE-732 incorrect permission assignments exploited by low-privileged attackers.

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of identified flaws, including applying SAP patches from Note 3550708 to fix the specific access control vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Weak access controls in public-facing ICF component directly enable remote exploitation of the application (T1190) by low-privileged attackers, resulting in unauthorized access and effective privilege escalation to full compromise (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Under certain conditions SAP NetWeaver AS for ABAP and ABAP Platform (Internet Communication Framework) allows an attacker to access restricted information due to weak access controls. This can have a significant impact on the confidentiality, integrity, and availability of an…

application

Deeper analysisAI

CVE-2025-0066 affects SAP NetWeaver AS for ABAP and ABAP Platform, specifically the Internet Communication Framework component. The vulnerability arises from weak access controls under certain conditions, enabling an attacker to access restricted information. This issue, published on 2025-01-14, carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and is linked to CWE-732 (Incorrect Permission Assignment for Critical Resource), with potential significant impacts on the confidentiality, integrity, and availability of affected applications.

An attacker with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. The high scope (S:C) amplifies the impact, allowing achievement of high confidentiality, integrity, and availability effects, potentially leading to full compromise of the targeted application.

SAP advisories provide mitigation guidance, including details in Note 3550708 (https://me.sap.com/notes/3550708) and the SAP Security Patch Day page (https://url.sap/sapsecuritypatchday). Security practitioners should review these references for applicable patches and remediation instructions.

Details

CWE(s): CWE-732

Affected Products

sap

sap basis

700, 701, 702, 731, 740

CVEs Like This One

CVE-2025-0063Same product: Sap Sap Basis

CVE-2026-23687Same product: Sap Sap Basis

CVE-2025-23193Same product: Sap Sap Basis

CVE-2026-0488Same vendor: Sap

CVE-2025-0064Same vendor: Sap

CVE-2026-0506Same vendor: Sap

CVE-2026-0492Same vendor: Sap

CVE-2026-24322Same vendor: Sap

CVE-2026-0508Same vendor: Sap

CVE-2026-0490Same vendor: Sap

References

https://me.sap.com/notes/3550708
Permissions Required · cna@sap.com
https://url.sap/sapsecuritypatchday
Patch · cna@sap.com