CVE-2025-27436

Summary

The Manage Bank Statements in SAP S/4HANA does not perform required access control checks for an authenticated user to confirm whether a request to interact with a resource is legitimate, allowing the attacker to delete the attachment of a posted bank statement. This leads to a low impact on integrity, with no impact on the confidentiality of the data or the availability of the application.

Affected Software

VendorProductVersion RangeStatus
SAP_SESAP S/4HANA (Manage Bank Statements)S4CORE 107affected
SAP_SESAP S/4HANA (Manage Bank Statements)108affected

Weaknesses

  • CWE-639: CWE-639: Authorization Bypass Through User-Controlled Key

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References