CVE-2025-42987 PUBLISHED

Missing Authorization Check in SAP S/4HANA (Manage Processing Rules - For Bank Statement)

Assigner: sap
Reserved: 16.04.2025 Published: 10.06.2025 Updated: 10.06.2025

SAP Manage Processing Rules (For Bank Statement) allows an attacker with basic privileges to edit shared rules of any user by tampering the request parameter. Due to missing authorization check, the attacker can edit rules that should be restricted, compromising the integrity of the application.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVSS Score: 4.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	Low	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	SAP_SE
Product	SAP S/4HANA (Manage Processing Rules - For Bank Statement)
Versions	Default: unaffected Version S4CORE 104 is affected Version 105 is affected Version 106 is affected Version 107 is affected Version 108 is affected

CVE-2025-42987 PUBLISHED

Missing Authorization Check in SAP S/4HANA (Manage Processing Rules - For Bank Statement)

Metrics

Product Status

References

Problem Types