What is the CVSS score of CVE-2025-42994?

CVE-2025-42994 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.1%.

Which versions of SAP are affected by CVE-2025-42994?

SAP MDM Server is vulnerable to a denial-of-service attack that could cause unexpected service outages, disrupting business-critical master data management operations.

How to fix or mitigate CVE-2025-42994?

Within 24 hours: Identify all SAP MDM Server instances in your environment and document their network exposure. Within 7 days: Implement network segmentation to restrict access to SAP MDM servers from untrusted sources and deploy WAF rules to detect/block malformed packets to the ReadString function. Within 30 days: Monitor SAP security advisories for patch availability and establish a change control process for immediate deployment once released; conduct penetration testing to validate mitigation effectiveness.

SAP CVE-2025-42994

EUVD-2025-17595 HIGH

Free of Memory not on the Heap (CWE-590)

2025-06-10 cna@sap.com

Denial Of Service Memory Corruption SAP

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 19:49 euvd

EUVD-2025-17595

Analysis Generated

Mar 14, 2026 - 19:49 vuln.today

CVE Published

Jun 10, 2025 - 01:15 nvd

HIGH 7.5

DescriptionNVD

SAP MDM Server ReadString function allows an attacker to send specially crafted packets which could trigger a memory read access violation in the server process that would then fail and exit unexpectedly causing high impact on availability with no impact on confidentiality and integrity of the application.

AnalysisAI

Denial-of-service vulnerability in SAP MDM Server's ReadString function that allows unauthenticated remote attackers to trigger memory read access violations causing unexpected server process termination. The vulnerability affects SAP Master Data Management (MDM) Server and has a CVSS score of 7.5 with high availability impact; no confidentiality or integrity compromise occurs. This is a network-accessible denial-of-service vector with low attack complexity and no authentication requirements, making it a significant availability risk for organizations deploying SAP MDM infrastructure.

Technical ContextAI

The vulnerability exists in SAP MDM Server's ReadString function, which handles parsing of string data from network packets. The root cause is classified as CWE-590 (Improper Null Termination), indicating insufficient validation or bounds checking when processing string input from untrusted network sources. The ReadString function likely fails to properly validate input length, encoding, or null-termination before performing memory operations, resulting in out-of-bounds read access. This memory safety issue in network protocol handling allows specially crafted packets to trigger access violations within the server process address space. The vulnerability affects SAP MDM Server components responsible for data communication and protocol parsing, which operate with system-level privileges and handle untrusted remote input without adequate sanitization.

RemediationAI

Obtain and apply the latest SAP security patch for MDM Server from SAP's support portal or Security Patch Day release. 2) Consult SAP Note (KB article) corresponding to CVE-2025-42994 for version-specific patch details and implementation guidance. 3) Implement network segmentation to restrict MDM Server access to trusted internal networks only, preventing direct exposure to untrusted remote sources. 4) Deploy intrusion detection/prevention systems to detect and block packets matching the vulnerability trigger pattern (specially crafted ReadString inputs). 5) Monitor SAP MDM Server processes for unexpected terminations and implement process restart automation as a temporary mitigation. 6) Upgrade to the minimum patched version once SAP releases official fixes (typically published on Security Patch Day or critical patch schedule).

CVE-2025-42994 vulnerability details – vuln.today

Back

SAP CVE-2025-42994

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code