Skip links
RedRays - Your SAP Security Solution
Picture of Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

SAP Security on Udemy

CVE-2025-42937 – Critical Directory Traversal Vulnerability in SAP Print Service

Unauthenticated Path Traversal Enabling System-Wide File Manipulation

CVSS 9.8 HotNews Priority No Authentication Required Published: October 14, 2025 Component: SAPSPRINT

🚨 Maximum Severity Security Alert

SAP has disclosed a critical unauthenticated directory traversal vulnerability in SAP Print Service (SAPSprint). This near-maximum CVSS 9.8 vulnerability allows remote attackers without any credentials to traverse directory structures and overwrite critical system files, resulting in complete system compromise. This is an active exploitation risk requiring immediate emergency patching.

Vulnerability Overview

CVE-2025-42937 represents one of the most severe vulnerabilities discovered in SAP infrastructure in 2025. The flaw exists in SAP Print Service (SAPSprint), a critical component responsible for managing print operations across SAP landscapes. The vulnerability stems from insufficient validation of user-supplied path information, allowing attackers to perform directory traversal attacks without any authentication.

What makes this vulnerability particularly dangerous is the combination of three critical factors: it requires no authentication (anyone on the network can exploit it), it has low attack complexity (simple to exploit), and it provides complete system access (read, write, and delete files anywhere on the system). This creates a perfect storm for attackers seeking to compromise SAP environments.

The vulnerability allows attackers to use special character sequences (such as "../" path traversal strings) to navigate outside intended directories and access or modify any file the SAP Print Service process has permissions to touch. This includes critical system files, configuration files containing credentials, and application binaries.

Technical Details

CVE Identifier
CVE-2025-42937
SAP Security Note
3630595
FAQ Note
3636888
Affected Component
SAPSPRINT (SAP Print Service) Versions 8.0 - 8.1
Vulnerability Type
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Alternative Names
Directory Climbing, Backtracking, Dot-Dot-Slash Attack
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Impact Assessment

🔓
Confidentiality
HIGH
⚠️
Integrity
HIGH
💥
Availability
HIGH
🚫
Auth Required
NONE

Critical Risk Factors

  • No Authentication Required: The most dangerous aspect - any attacker with network access can exploit this vulnerability without needing credentials
  • Low Attack Complexity: Exploitation is straightforward and can be automated with simple scripts
  • Network Attack Vector: Can be exploited remotely from anywhere on the network, including the internet if the service is exposed
  • No User Interaction: Attacks can be fully automated without requiring any user action
  • Complete CIA Triad Impact: Full compromise of confidentiality, integrity, and availability

Potential Business Impact

  • Complete System Compromise: Attackers can gain full control of SAP Print Service servers and potentially pivot to connected systems
  • Data Exfiltration: Access to sensitive configuration files, credentials, print spools containing confidential documents, and system files
  • Ransomware Deployment: Ability to write malicious executables and ransomware to system directories
  • Service Disruption: Overwriting critical system files can cause complete service outages and system instability
  • Privilege Escalation: Modification of system files and configurations can lead to privilege escalation and persistence
  • Supply Chain Risk: Compromised print services can be used to intercept, modify, or steal documents being printed
  • Compliance Violations: Data breaches resulting from this vulnerability could trigger GDPR, HIPAA, SOX, and other regulatory penalties
  • Lateral Movement: Compromised print servers can serve as pivot points to attack other systems in the SAP landscape

Attack Methodology

How Directory Traversal Attacks Work

  1. Reconnaissance: Attacker identifies SAP Print Service exposed on the network through port scanning or service enumeration
  2. Path Manipulation: Crafts malicious requests with directory traversal sequences (../, ..\.., URL-encoded variants like %2e%2e%2f)
  3. Validation Bypass: Exploits insufficient input validation to escape from the intended print spool directory
  4. System Navigation: Navigates through parent directories to reach sensitive system locations
  5. File Access: Reads sensitive files such as configuration files, password files, SSH keys, database credentials
  6. File Manipulation: Overwrites critical system files, application binaries, or configuration files with malicious content
  7. Persistence Establishment: Writes backdoors, web shells, or modified startup scripts to maintain access
  8. Lateral Movement: Uses compromised system as springboard to attack other SAP systems or network resources

Technical Root Cause Analysis

The vulnerability originates from inadequate input sanitization and path validation in SAP Print Service's file handling routines. The root causes include:

Insufficient Security Controls

  • Missing Path Canonicalization: User-supplied paths are not converted to absolute canonical form before validation
  • Inadequate Input Filtering: Special characters and path traversal sequences (../, ..\, etc.) are not properly filtered or blocked
  • Lack of Whitelist Validation: File paths are not validated against a whitelist of allowed directories
  • No Chroot/Sandboxing: Print service process is not confined to a restricted directory with chroot or similar mechanisms
  • Insufficient URL Decoding: Multiple encoding layers (URL encoding, double encoding) can bypass basic filters
  • Missing Boundary Checks: No verification that the resolved path stays within intended boundaries
  • Inadequate Error Handling: Error messages may leak information about file system structure

Affected Software Components

Component Details

Software Component
SAPSPRINT (SAP Print Service)
Affected Versions
Version 8.0 through Version 8.1
Platform
Cross-platform (Windows, Linux, Unix)
Service Type
Network-accessible print spooler and management service

Vulnerable Functions

  • File path handling in print job submission endpoints
  • Document retrieval and download functions
  • Print spool directory management routines
  • Configuration file access methods
  • Temporary file creation and cleanup processes

Security Patch Implementation

SAP's security patch introduces comprehensive path validation and sanitization mechanisms to prevent directory traversal attacks. The patch implements multiple layers of defense to ensure file operations remain within authorized boundaries.

Key Security Enhancements in the Patch

  1. Path Canonicalization: All user-supplied paths are converted to absolute canonical form, resolving symbolic links and eliminating relative path components
  2. Input Sanitization: Directory traversal sequences (../, ..\, and their encoded variants) are detected and blocked
  3. Whitelist Validation: Resolved paths are checked against a whitelist of allowed directories - any path outside these boundaries is rejected
  4. Multi-layer Decoding: Input undergoes multiple rounds of URL decoding to catch obfuscation attempts
  5. Boundary Enforcement: Additional checks ensure the final resolved path remains within the designated print service directory
  6. Null Byte Protection: Null byte injection attempts (%00) used to truncate paths are detected and blocked
  7. Enhanced Logging: All path validation failures are logged for security monitoring

Detection and Monitoring

Indicators of Compromise (IOCs)

  • HTTP requests containing path traversal sequences: ../, ..\, %2e%2e%2f, %2e%2e%5c
  • Multiple consecutive dots in file paths: ...., ....//
  • URL-encoded traversal attempts: %252e%252e%252f (double encoding)
  • Access to unexpected system paths: /etc/, /windows/, /usr/, /boot/
  • Requests for sensitive files: passwd, shadow, SAM, config files
  • HTTP 200 responses to unusual path requests (successful traversal)
  • Large number of 403/404 errors followed by 200 (probing then exploiting)
  • File modifications in system directories without legitimate reason
  • Unusual files appearing in system directories (backdoors, shells)

Emergency Security Advisory prepared by RedRays Cybersecurity Team

Published: October 14, 2025 | Priority: CRITICAL | Last Updated: October 14, 2025

© 2025 RedRays. This is an emergency security advisory. Immediate action required. Test patches in staging before production deployment when possible.

Explore More