CVE-2025-43003

Summary

SAP S/4 HANA allows an authenticated attacker with user privileges to configure a field not intended for their access and create a custom UI layout displaying this field. On performing this step the attacker could gain access to highly sensitive information. This could cause a high impact on confidentiality and minimal impact on integrity and availability of the application.

Affected Software

VendorProductVersion RangeStatus
SAP_SESAP S/4HANA (Private Cloud & On-Premise)S4CRM 204affected
SAP_SESAP S/4HANA (Private Cloud & On-Premise)205affected
SAP_SESAP S/4HANA (Private Cloud & On-Premise)206affected
SAP_SESAP S/4HANA (Private Cloud & On-Premise)S4CEXT 107affected
SAP_SESAP S/4HANA (Private Cloud & On-Premise)108affected
SAP_SESAP S/4HANA (Private Cloud & On-Premise)BBPCRM 702affected
SAP_SESAP S/4HANA (Private Cloud & On-Premise)712affected
SAP_SESAP S/4HANA (Private Cloud & On-Premise)713affected
SAP_SESAP S/4HANA (Private Cloud & On-Premise)714affected

Weaknesses

  • CWE-749: CWE-749: Exposed Dangerous Method or Function

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References