CVE-2025-42946 is a directory traversal vulnerability identified in SAP S/4HANA's Bank Communication Management module. This vulnerability arises due to improper limitation of a pathname to a restricted directory (CWE-22), allowing an attacker with high privileges and access to a specific transaction and method within the Bank Communication Management component to manipulate file paths. Exploiting this flaw, the attacker can traverse directories beyond the intended scope and gain unauthorized access to sensitive operating system files. The vulnerability primarily impacts confidentiality, as the attacker could read sensitive files, and to a lesser extent integrity, since deletion of files is also possible. However, availability remains unaffected. The affected SAP versions include multiple releases across SAP_APPL, SAP_FIN, and S4CORE components, indicating a broad impact across SAP S/4HANA deployments. The CVSS v3.1 base score is 6.9 (medium severity), with the vector indicating the attack requires adjacent network access (AV:A), low attack complexity (AC:L), high privileges (PR:H), no user interaction (UI:N), and impacts confidentiality highly (C:H), integrity lightly (I:L), and no impact on availability (A:N). No known exploits are currently in the wild, and no patches are linked yet, suggesting the vulnerability is newly disclosed. The vulnerability's exploitation requires an attacker to have high privileges and access to specific transactions, limiting the attack surface but still posing a significant risk within compromised or insider threat scenarios. Given SAP S/4HANA's critical role in enterprise resource planning and financial operations, unauthorized access to OS files could lead to exposure of sensitive data and potential manipulation of system files, undermining organizational security and compliance.

For European organizations, this vulnerability poses a significant risk due to the widespread adoption of SAP S/4HANA in financial and operational environments. The Bank Communication Management module is integral to handling sensitive financial transactions and communications with banking institutions. Unauthorized access to operating system files could lead to exposure of confidential financial data, customer information, or internal credentials, potentially resulting in regulatory non-compliance with GDPR and other data protection laws. The ability to delete files, although limited in impact, could disrupt internal processes or forensic investigations. Since the vulnerability requires high privileges, the primary risk vector is insider threats or attackers who have already compromised privileged accounts. The medium severity score reflects the balance between the required privileges and the high confidentiality impact. European organizations with SAP S/4HANA deployments should consider this vulnerability critical in the context of financial data protection and operational security, especially in sectors like banking, insurance, and large enterprises where SAP is heavily used.

1. Immediate review and restriction of user privileges within SAP S/4HANA, ensuring that only necessary personnel have access to the Bank Communication Management transactions and methods. 2. Implement strict monitoring and auditing of privileged user activities related to Bank Communication Management to detect any anomalous access patterns. 3. Apply SAP security notes and patches as soon as they become available for this CVE to remediate the vulnerability. 4. Employ network segmentation to limit adjacent network access to SAP systems, reducing the attack surface. 5. Conduct regular security assessments and penetration testing focusing on SAP modules to identify potential privilege escalations or misuse. 6. Enhance logging and alerting on file access operations at the operating system level for SAP servers to detect unauthorized file reads or deletions. 7. Educate SAP administrators and users about the risks of privilege misuse and enforce strong authentication mechanisms to protect high-privilege accounts. 8. Consider deploying application-level controls or web application firewalls that can detect and block directory traversal attempts if feasible within the SAP environment.