CVE-2025-43010

Summary

SAP S/4HANA Cloud Private Edition or on Premise (SCM Master Data Layer (MDL)) allows an authenticated attacker with SAP standard authorization to execute a certain function module remotely and replace arbitrary ABAP programs, including SAP standard programs. This is due to lack of input validation and no authorization checks. This has low Confidentiality impact but high impact on integrity and availability to the application.

Affected Software

VendorProductVersion RangeStatus
SAP_SESAP S/4HANA Cloud Private Edition or on Premise (SCM Master Data Layer (MDL))S4CORE 102affected
SAP_SESAP S/4HANA Cloud Private Edition or on Premise (SCM Master Data Layer (MDL))103affected
SAP_SESAP S/4HANA Cloud Private Edition or on Premise (SCM Master Data Layer (MDL))104affected
SAP_SESAP S/4HANA Cloud Private Edition or on Premise (SCM Master Data Layer (MDL))105affected
SAP_SESAP S/4HANA Cloud Private Edition or on Premise (SCM Master Data Layer (MDL))106affected
SAP_SESAP S/4HANA Cloud Private Edition or on Premise (SCM Master Data Layer (MDL))107affected
SAP_SESAP S/4HANA Cloud Private Edition or on Premise (SCM Master Data Layer (MDL))108affected
SAP_SESAP S/4HANA Cloud Private Edition or on Premise (SCM Master Data Layer (MDL))SCM_BASIS 700affected
SAP_SESAP S/4HANA Cloud Private Edition or on Premise (SCM Master Data Layer (MDL))701affected
SAP_SESAP S/4HANA Cloud Private Edition or on Premise (SCM Master Data Layer (MDL))702affected
SAP_SESAP S/4HANA Cloud Private Edition or on Premise (SCM Master Data Layer (MDL))712affected
SAP_SESAP S/4HANA Cloud Private Edition or on Premise (SCM Master Data Layer (MDL))713affected
SAP_SESAP S/4HANA Cloud Private Edition or on Premise (SCM Master Data Layer (MDL))714affected

Weaknesses

  • CWE-94: CWE-94: Improper Control of Generation of Code

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References