CVE-2025-42967 is a critical vulnerability classified under CWE-94 (Improper Control of Generation of Code) affecting SAP S/4HANA and SAP SCM products, specifically within the Characteristic Propagation functionality. This flaw allows an authenticated attacker with user-level privileges to create new reports containing arbitrary code, which the system then executes. The vulnerability arises due to insufficient validation or control over dynamically generated code, enabling remote code execution (RCE). Successful exploitation can lead to complete compromise of the SAP system, allowing attackers to manipulate data, disrupt operations, or exfiltrate sensitive information. The affected versions span several releases of SAP S/4HANA core and SCM modules, including SCMAPO 713 and 714, S4CORE 102 through 108, and SCM versions 700 through 712. The CVSS v3.1 score is 9.9, reflecting the vulnerability's ease of exploitation over the network (AV:N), low attack complexity (AC:L), requirement for privileges (PR:L), no user interaction (UI:N), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no public exploits are known yet, the critical nature and potential impact necessitate immediate attention. The vulnerability was publicly disclosed on July 8, 2025, with no patches currently linked, indicating the need for vigilance and interim mitigations.

The impact of CVE-2025-42967 is severe for organizations using affected SAP S/4HANA and SCM versions. An attacker exploiting this vulnerability can gain full control over the SAP system, compromising all data confidentiality, integrity, and availability. This can lead to unauthorized data access, data manipulation, disruption of critical business processes, and potential lateral movement within the enterprise network. Given SAP's central role in enterprise resource planning and supply chain management, exploitation could disrupt financial operations, inventory management, and other core business functions. The vulnerability's remote exploitability and lack of required user interaction increase the risk of automated attacks. Organizations worldwide relying on these SAP products face significant operational and reputational risks if exploited.

Until official patches are released, organizations should implement strict access controls to limit user-level privileges within SAP systems, ensuring only trusted personnel have report creation rights. Employ SAP's security notes and hardening guides to restrict or monitor the use of Characteristic Propagation features. Enable detailed logging and monitoring of report creation and execution activities to detect anomalous behavior promptly. Network segmentation should isolate SAP systems from less trusted networks to reduce exposure. Regularly review and audit user permissions to minimize privilege creep. Once SAP releases patches, prioritize immediate deployment after testing in controlled environments. Additionally, consider implementing application-level whitelisting or code integrity checks if supported by SAP to prevent unauthorized code execution within reports.