CVE-2025-42967 PUBLISHED

Code Injection vulnerability in SAP S/4HANA and SAP SCM (Characteristic Propagation)

Assigner: sap
Reserved: 16.04.2025 Published: 08.07.2025 Updated: 09.07.2025

SAP S/4HANA and SAP SCM Characteristic Propagation has remote code execution vulnerability. This allows an attacker with user level privileges to create a new report with his own code potentially gaining full control of the affected SAP system causing high impact on confidentiality, integrity, and availability of the application.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 9.9

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	SAP_SE
Product	SAP S/4HANA and SAP SCM (Characteristic Propagation)
Versions	Default: unaffected Version SCMAPO 713 is affected Version 714 is affected Version S4CORE 102 is affected Version 103 is affected Version 104 is affected Version S4COREOP 105 is affected Version 106 is affected Version 107 is affected Version 108 is affected Version SCM 700 is affected Version 701 is affected Version 702 is affected Version 712 is affected

CVE-2025-42967 PUBLISHED

Code Injection vulnerability in SAP S/4HANA and SAP SCM (Characteristic Propagation)

Metrics

Product Status

References

Problem Types