CVE-2025-42910 is a critical security vulnerability identified in SAP Supplier Relationship Management (SRM) versions SRMNXP01 100 and 150. The root cause is the lack of proper verification of file types or content during file uploads, classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). An authenticated attacker can exploit this flaw to upload arbitrary files, including potentially malicious executables. These files could then be downloaded and executed by users, facilitating malware deployment or further compromise. The vulnerability affects the confidentiality, integrity, and availability of the SAP SRM application, as attackers may gain unauthorized access, modify data, or disrupt services. The CVSS v3.1 base score is 9.0 (critical), with vector AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H, indicating network attack vector, low attack complexity, requiring low privileges and user interaction, with a scope change and high impact on confidentiality, integrity, and availability. Although no public exploits are currently known, the vulnerability's severity and the critical role of SAP SRM in supply chain and procurement processes make it a high-risk issue. SAP has not yet released patches, so organizations must apply compensating controls to reduce exposure.

The impact of CVE-2025-42910 is significant for organizations relying on SAP Supplier Relationship Management for procurement and supply chain operations. Successful exploitation can lead to unauthorized execution of malicious code, resulting in data breaches, manipulation of procurement data, disruption of supply chain workflows, and potential spread of malware within enterprise networks. Confidential information such as supplier contracts, pricing, and internal communications could be exposed or altered, undermining business integrity and trust. Availability of the SRM system may be compromised, causing operational downtime and financial losses. Given SAP SRM's integration with other enterprise systems, the attack could cascade, affecting broader IT infrastructure. The requirement for authentication and user interaction somewhat limits exploitation but does not eliminate risk, especially in environments with many users or weak access controls. The absence of known exploits currently provides a window for mitigation before active attacks emerge.

Organizations should implement multiple layers of defense to mitigate this vulnerability. Immediate steps include restricting file upload permissions to the minimum necessary users and enforcing strict access controls and authentication mechanisms. Deploy application-layer filtering to validate file types and content before upload, using allowlists for permitted file extensions and MIME types. Monitor file upload activity and scan uploaded files with advanced malware detection tools. Educate users about the risks of executing downloaded files from SAP SRM and enforce policies to prevent execution of untrusted files. Network segmentation can limit the impact of any compromise. Since no official patches are currently available, organizations should engage with SAP support for updates and advisories and prepare to apply patches promptly upon release. Regularly review and update incident response plans to address potential exploitation scenarios related to file upload vulnerabilities.