CVE-2025-42876

Summary

Due to a Missing Authorization Check vulnerability in SAP S/4 HANA Private Cloud (Financials General Ledger), an authenticated attacker with authorization limited to a single company code could read sensitive data and post or modify documents across all company codes. Successful exploitation could result in a high impact to confidentiality and a low impact to integrity, while availability remains unaffected.

Affected Software

VendorProductVersion RangeStatus
SAP_SESAP S/4 HANA Private Cloud (Financials General Ledger)S4CORE 104affected
SAP_SESAP S/4 HANA Private Cloud (Financials General Ledger)105affected
SAP_SESAP S/4 HANA Private Cloud (Financials General Ledger)106affected
SAP_SESAP S/4 HANA Private Cloud (Financials General Ledger)107affected
SAP_SESAP S/4 HANA Private Cloud (Financials General Ledger)108affected
SAP_SESAP S/4 HANA Private Cloud (Financials General Ledger)109affected

Weaknesses

  • CWE-405: CWE-405: Asymmetric Resource Consumption

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References