Critical Remediation Guide: Securing SAPSprint Against CVE-2025-42937

• CVSS Score: 9.8 (Critical) 
• Affected Component: SAPSprint Server (SAP Print Service) 
• Risk Level: Critical – Immediate Action Required

A critical vulnerability in the SAPSprint service allows unauthenticated remote attackers to execute arbitrary commands with SYSTEM privileges on Windows servers. Because this service often runs on default ports (515) without authentication, it represents a high-priority target for threat actors seeking an initial foothold in SAP environments.

This guide provides a verified, step-by-step procedure to patch, harden, and validate your SAPSprint configurations. For a detailed breakdown of the exploit chain, read our technical analysis of CVE-2025-42937.

Phase 1: Audit & Isolation

Before applying patches, you must identify your exposure. SAPSprint is often installed on “forgotten” infrastructure servers that may not be in your primary SAP inventory.

1. Identify Vulnerable Instances

SAPSprint is a Windows service distinct from the main SAP Application Server. It acts as a bridge for remote printing.

• Action: Scan your Windows server estate for the sapsprint.exe service.
• Check: Verify if port 515 (TCP) is exposed to the internet or untrusted network segments.
• Tooling: Use Onapsis Assess to automatically discover hidden SAPSprint instances and prioritize vulnerable assets based on their business criticality.

2. Emergency Isolation

If immediate patching is not possible, restrict network access to the print server.

• Action: Configure host-based firewalls (Windows Firewall) to allow traffic to port 515 only from known SAP Application Servers.
• Why: This limits the attack surface, preventing lateral movement from compromised workstations or external attackers.

Phase 2: Applying the Fix (Patching)

The primary remediation is a binary replacement provided by SAP.

Step 1: Download the Security Note

• Source: Log in to the SAP Support Portal and access SAP Security Note 3630595.
• Requirement: Ensure you download the correct version for your specific SAPSprint release (typically 7.70 or higher).

Step 2: Service Update (Downtime Required)

This is not a hot patch; the service must be restarted.

• Action: Stop the SAPSprint service via services.msc or the command line (net stop SAPSprint).
• Action: Replace the existing executable with the patched version 7700.1.2.3 (or newer).
• Action: Restart the service and verify it is running.
• Reference: Review SAP Note 3636888 for specific FAQ details regarding the patch installation.

Phase 3: Hardening with Encryption

Patching fixes the code flaw, but hardening the protocol eliminates the root cause. The default SAPLPD protocol sends print data in clear text, leaving it open to manipulation.

Configure Secure Network Communications (SNC)

You must enforce encryption to prevent attackers from injecting malicious payloads into the print stream.

1. Access Configuration: Open the Print Options Editor on the host server.
2. Navigate: Go to SNC Options > SNC Mode.
3. Select: Choose “Only safe connections”.
   • Warning: Do not select “Both connections.” This “mixed mode” allows attackers to downgrade the connection to clear text and bypass your security controls.
4. Validate Library Path: Ensure the snc/lib parameter points to a valid SAP Cryptographic Library installed on the host.

Phase 4: Validation & Monitoring

Do not assume the patch worked. Verify your posture actively.

1. Verify the Binary Version

• Right-click sapsprint.exe -> Properties -> Details.
• Confirm the File Version matches the patched build number listed in the Security Note (e.g., 7700.1.2.3).

2. Monitor for Suspicious Activity

Even after patching, you should monitor for attempted exploitation, which could indicate a persistent threat actor in your network.

• Log Inspection: Check SAPSprint logs (typically C:\ProgramData\SAP\SAPSprint\Logs) for failed attempts to write to sensitive directories like C:\Windows\.
• Automated Detection: Deploy Onapsis Defend to detect unauthorized configuration changes or suspicious service behavior in real-time, alerting your SOC before an exploit succeeds.

3. Connectivity Test

• Attempt to send a simple print job from a machine without SNC configured.
• Success Criteria: The connection should be refused. If the job prints, your “Only safe connections” setting is not correctly enforced.

Need help validating your print infrastructure? Secure your critical SAP operations today. Request a Threat Assessment to scan your landscape for unpatched SAPSprint servers and verify your SNC configurations.

Frequently Asked Questions: Remediation of CVE-2025-42937

Is a restart of the SAPSprint service required to apply the patch?

Yes. This is a binary replacement, not a configuration change. You must stop the sapsprint.exe service, replace the executable with the patched version (e.g., 7700.1.2.3), and then restart the service. Plan for a brief downtime of print services.

Can I use the “Both connections” setting for SNC to support legacy printers?

No. Selecting “Both connections” leaves your system vulnerable to downgrade attacks where an attacker can force the connection to use the unencrypted (clear-text) protocol. You must select “Only safe connections” to fully mitigate the risk of protocol manipulation.

How do I verify if my SAPSprint instance is vulnerable without running a scan?

You can manually check the file version. Right-click sapsprint.exe (typically in C:\Program Files\SAP\SAPSprint\), select Properties > Details, and check the File version. If it is lower than the version specified in SAP Note 3630595 (e.g., lower than 7700.1.2.3), your instance is vulnerable.

Does this vulnerability affect the main SAP Application Server?

No, this vulnerability is specific to the SAPSprint service, which is a standalone Windows service used for remote printing. However, compromising the SAPSprint server can provide an attacker with SYSTEM privileges on that Windows host, which can then be used as a pivot point to attack the wider SAP landscape.

What if I cannot patch immediately?

If immediate patching is not possible, you must isolate the service. Configure the Windows Firewall on the host server to restrict access to port 515 (TCP) so that only your known SAP Application Servers can connect. This prevents unauthorized external connections but does not fix the underlying code flaw.

I don’t see SAPSprint in my main SAP inventory. Could I still be affected?

Yes. SAPSprint is often installed on utility servers, print servers, or even forgotten infrastructure that is not tracked as part of the core SAP instance. We strongly recommend scanning your entire Windows server estate for the sapsprint.exe service running on port 515.