Skip to main content

CVE-2025-42984: CWE-862: Missing Authorization in SAP_SE SAP S/4HANA (Manage Central Purchase Contract application)

Medium
VulnerabilityCVE-2025-42984cvecve-2025-42984cwe-862
Published: Tue Jun 10 2025 (06/10/2025, 00:11:29 UTC)
Source: CVE Database V5
Vendor/Project: SAP_SE
Product: SAP S/4HANA (Manage Central Purchase Contract application)

Description

SAP S/4HANA Manage Central Purchase Contract does not perform necessary authorization checks for an authenticated user. Due to this, an attacker could execute the function import on the entity making it inaccessible for unrestricted user. This has low impact on confidentiality and availability of the application.

AI-Powered Analysis

AILast updated: 07/11/2025, 00:31:45 UTC

Technical Analysis

CVE-2025-42984 is a medium-severity vulnerability identified in the SAP S/4HANA Manage Central Purchase Contract application, specifically affecting versions S4CORE 106, 107, and 108. The vulnerability is classified under CWE-862, which denotes missing authorization. In this case, the application fails to perform necessary authorization checks for authenticated users when executing a function import on a particular entity. This flaw allows an attacker with valid credentials and privileges to invoke this function import without proper authorization validation, potentially making the entity inaccessible to unrestricted users. The vulnerability impacts the integrity of access control mechanisms within the application but has a low impact on confidentiality and availability. The CVSS v3.1 base score is 5.4, reflecting a medium severity level, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), low confidentiality impact (C:L), no integrity impact (I:N), and low availability impact (A:L). No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability arises from the absence of proper authorization checks, which is a critical security control failure in enterprise resource planning (ERP) systems like SAP S/4HANA that manage sensitive business processes such as purchase contracts. Exploitation could lead to unauthorized manipulation or denial of access to contract data, potentially disrupting procurement workflows and causing operational inefficiencies.

Potential Impact

For European organizations, especially those heavily reliant on SAP S/4HANA for procurement and supply chain management, this vulnerability poses a risk to the integrity and availability of central purchase contract data. Although the confidentiality impact is low, unauthorized users with valid credentials could disrupt contract management processes by making entities inaccessible, leading to delays in procurement, financial discrepancies, and potential compliance issues. This could affect industries such as manufacturing, retail, and public sector entities where SAP S/4HANA is widely deployed. The disruption of purchase contract accessibility may also impact supplier relationships and contractual obligations. Given the interconnected nature of supply chains in Europe, such disruptions could cascade, affecting broader operational continuity. Additionally, the requirement for authenticated access means insider threats or compromised user accounts could be leveraged to exploit this vulnerability. The absence of known exploits reduces immediate risk, but organizations should not underestimate the potential for targeted attacks aiming to disrupt critical business functions.

Mitigation Recommendations

European organizations should implement the following specific mitigations: 1) Conduct an immediate audit of user privileges and roles within the SAP S/4HANA Manage Central Purchase Contract application to ensure the principle of least privilege is enforced, minimizing the number of users with access to sensitive functions. 2) Monitor and log all function import executions related to purchase contract entities to detect anomalous or unauthorized activity promptly. 3) Apply SAP security notes and patches as soon as they become available for CVE-2025-42984; in the absence of patches, consider temporary compensating controls such as restricting access to the affected application modules via network segmentation or SAP authorization objects. 4) Implement strong authentication mechanisms, including multi-factor authentication (MFA), to reduce the risk of credential compromise. 5) Conduct regular security training for SAP administrators and users to raise awareness about the risks of privilege misuse. 6) Engage in proactive vulnerability management and penetration testing focused on authorization controls within SAP environments to identify and remediate similar issues. 7) Collaborate with SAP support and security teams to receive timely updates and guidance on this vulnerability.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
sap
Date Reserved
2025-04-16T13:25:48.060Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 68487f551b0bd07c3938a262

Added to database: 6/10/2025, 6:54:13 PM

Last enriched: 7/11/2025, 12:31:45 AM

Last updated: 8/8/2025, 2:33:33 AM

Views: 16

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats