CVSS: 9.9EPSS: 0%CPEs: 11EXPL: 0CVE-2025-42967 – Code Injection vulnerability in SAP S/4HANA and SAP SCM (Characteristic Propagation)
https://notcve.org/view.php?id=CVE-2025-42967
08 Jul 2025 — SAP S/4HANA and SAP SCM Characteristic Propagation has remote code execution vulnerability. This allows an attacker with high privileges to create a new report with his own code potentially gaining full control of the affected SAP system causing high impact on confidentiality, integrity, and availability of the application. SAP S/4HANA and SAP SCM Characteristic Propagation has remote code execution vulnerability. This allows an attacker with user level privileges to create a new report with his own code po... • https://me.sap.com/notes/3618955 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-42993 – Missing Authorization Check in SAP S/4HANA (Enterprise Event Enablement)
https://notcve.org/view.php?id=CVE-2025-42993
10 Jun 2025 — Due to a missing authorization check vulnerability in SAP S/4HANA (Enterprise Event Enablement), an attacker with access to the Inbound Binding Configuration could create an RFC destination and assign an arbitrary high-privilege user. This allows the attacker to consume events via the RFC destination, leading to code execution under the privileges of the assigned high-privilege user. While the vulnerability has a low impact on Availability, it significantly poses a high risk to both Confidentiality and Inte... • https://me.sap.com/notes/3580384 • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-42987 – Missing Authorization Check in SAP S/4HANA (Manage Processing Rules - For Bank Statement)
https://notcve.org/view.php?id=CVE-2025-42987
10 Jun 2025 — SAP Manage Processing Rules (For Bank Statement) allows an attacker with basic privileges to edit shared rules of any user by tampering the request parameter. Due to missing authorization check, the attacker can edit rules that should be restricted, compromising the integrity of the application. • https://me.sap.com/notes/3596850 • CWE-862: Missing Authorization •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-42984 – Missing Authorization check in SAP S/4HANA (Manage Central Purchase Contract application)
https://notcve.org/view.php?id=CVE-2025-42984
10 Jun 2025 — SAP S/4HANA Manage Central Purchase Contract does not perform necessary authorization checks for an authenticated user. Due to this, an attacker could execute the function import on the entity making it inaccessible for unrestricted user. This has low impact on confidentiality and availability of the application. • https://me.sap.com/notes/3441087 • CWE-862: Missing Authorization •
CVSS: 8.7EPSS: 0%CPEs: 11EXPL: 0CVE-2025-43010 – Code injection vulnerability in SAP S/4HANA Cloud Private Edition or On Premise(SCM Master Data Layer (MDL))
https://notcve.org/view.php?id=CVE-2025-43010
13 May 2025 — SAP S/4HANA Cloud Private Edition or on Premise (SCM Master Data Layer (MDL)) allows an authenticated attacker with SAP standard authorization to execute a certain function module remotely and replace arbitrary ABAP programs, including SAP standard programs. This is due to lack of input validation and no authorization checks. This has low Confidentiality impact but high impact on integrity and availability to the application. • https://me.sap.com/notes/3600859 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-43008 – Missing Authorization check in SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal
https://notcve.org/view.php?id=CVE-2025-43008
13 May 2025 — Due to missing authorization check, an unauthorized user can view the files of other company. This might lead to disclosure of personal data of employees. There is no impact on integrity and availability. • https://me.sap.com/notes/3585992 • CWE-862: Missing Authorization •
CVSS: 6.4EPSS: 0%CPEs: 7EXPL: 0CVE-2025-43003 – Information Disclosure vulnerability in SAP S/4HANA (Private Cloud & On-Premise)
https://notcve.org/view.php?id=CVE-2025-43003
13 May 2025 — SAP S/4 HANA allows an authenticated attacker with user privileges to configure a field not intended for their access and create a custom UI layout displaying this field. On performing this step the attacker could gain access to highly sensitive information. This could cause a high impact on confidentiality and minimal impact on integrity and availability of the application. • https://me.sap.com/notes/3596033 • CWE-749: Exposed Dangerous Method or Function •
CVSS: 9.9EPSS: 0%CPEs: 6EXPL: 0CVE-2025-27429 – Code Injection Vulnerability in SAP S/4HANA (Private Cloud or On-Premise)
https://notcve.org/view.php?id=CVE-2025-27429
08 Apr 2025 — SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system. SAP S/4HANA permite a un atacante con privilegios de usuario explotar una vulnerabilidad en el módulo d... • https://me.sap.com/notes/3581961 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27436 – Broken Access Control vulnerabilities in SAP S/4HANA (Manage Bank Statements)
https://notcve.org/view.php?id=CVE-2025-27436
11 Mar 2025 — The Manage Bank Statements in SAP S/4HANA does not perform required access control checks for an authenticated user to confirm whether a request to interact with a resource is legitimate, allowing the attacker to delete the attachment of a posted bank statement. This leads to a low impact on integrity, with no impact on the confidentiality of the data or the availability of the application. • https://me.sap.com/notes/3565835 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27433 – Broken Access Control vulnerabilities in SAP S/4HANA (Manage Bank Statements)
https://notcve.org/view.php?id=CVE-2025-27433
11 Mar 2025 — The Manage Bank Statements in SAP S/4HANA allows authenticated attacker to bypass certain functionality restrictions of the application and upload files to a reversed bank statement. This vulnerability has a low impact on the application's integrity, with no effect on confidentiality and availability of the application. • https://me.sap.com/notes/3565835 • CWE-639: Authorization Bypass Through User-Controlled Key •