CVE-2025-42920 is a Cross-Site Scripting (XSS) vulnerability identified in SAP Supplier Relationship Management (SRM) versions 700, 701, 702, 713, and 714. This vulnerability arises from improper neutralization of input during web page generation (CWE-79), allowing an unauthenticated attacker to craft a malicious URL containing injected script code. When an authenticated user accesses this malicious link, the injected input is processed and executed within the victim's browser context. This execution enables the attacker to access and modify information accessible within the browser session, thereby compromising confidentiality and integrity of the user's data. The vulnerability does not impact system availability. The CVSS v3.1 base score is 6.1 (medium severity), reflecting that the attack vector is network-based (AV:N), requires no privileges (PR:N), but does require user interaction (UI:R). The scope is changed (S:C), indicating that the vulnerability affects resources beyond the initially vulnerable component. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk due to the widespread use of SAP SRM in enterprise procurement and supply chain management. The lack of available patches at the time of publication necessitates immediate attention to mitigation strategies to prevent exploitation.

For European organizations, the impact of this vulnerability can be substantial, especially for enterprises relying on SAP SRM for critical supplier relationship and procurement workflows. Exploitation could lead to unauthorized disclosure and modification of sensitive business data accessible through the victim's browser session, including supplier information, contract details, and procurement transactions. This can result in data breaches, fraud, and manipulation of procurement processes, potentially causing financial losses and reputational damage. Since SAP SRM is often integrated with other enterprise resource planning (ERP) systems, the compromise of browser session data could facilitate lateral movement or further attacks within the corporate network. The requirement for user interaction (clicking a malicious link) means phishing campaigns could be an effective attack vector, increasing the risk for organizations with less mature security awareness programs. However, availability of services remains unaffected, so operational disruption is unlikely. Overall, the vulnerability threatens confidentiality and integrity of critical business data in European enterprises using affected SAP SRM versions.

Given the absence of official patches at the time of disclosure, European organizations should implement the following specific mitigations: 1) Deploy robust web application firewalls (WAFs) with custom rules to detect and block malicious input patterns targeting SAP SRM web interfaces. 2) Enforce strict Content Security Policy (CSP) headers to restrict execution of unauthorized scripts within the SAP SRM web application context. 3) Conduct targeted user awareness training emphasizing the risks of clicking unsolicited or suspicious links, particularly those related to procurement or supplier communications. 4) Implement network segmentation to isolate SAP SRM servers and limit access to trusted users only. 5) Monitor web server and application logs for unusual URL access patterns indicative of attempted exploitation. 6) Where feasible, restrict or disable the rendering of user-supplied input in web pages or sanitize inputs at the application layer using custom validation proxies until official patches are released. 7) Coordinate with SAP support channels to obtain and apply security updates promptly once available. These measures, combined, reduce the attack surface and likelihood of successful exploitation.