CVE-2025-42984 is a medium-severity vulnerability identified in the SAP S/4HANA Manage Central Purchase Contract application, specifically affecting versions S4CORE 106, 107, and 108. The vulnerability is classified under CWE-862, which denotes missing authorization. In this case, the application fails to perform necessary authorization checks for authenticated users when executing a function import on a particular entity. This flaw allows an attacker with valid credentials and privileges to invoke this function import without proper authorization validation, potentially making the entity inaccessible to unrestricted users. The vulnerability impacts the integrity of access control mechanisms within the application but has a low impact on confidentiality and availability. The CVSS v3.1 base score is 5.4, reflecting a medium severity level, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), low confidentiality impact (C:L), no integrity impact (I:N), and low availability impact (A:L). No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability arises from the absence of proper authorization checks, which is a critical security control failure in enterprise resource planning (ERP) systems like SAP S/4HANA that manage sensitive business processes such as purchase contracts. Exploitation could lead to unauthorized manipulation or denial of access to contract data, potentially disrupting procurement workflows and causing operational inefficiencies.

For European organizations, especially those heavily reliant on SAP S/4HANA for procurement and supply chain management, this vulnerability poses a risk to the integrity and availability of central purchase contract data. Although the confidentiality impact is low, unauthorized users with valid credentials could disrupt contract management processes by making entities inaccessible, leading to delays in procurement, financial discrepancies, and potential compliance issues. This could affect industries such as manufacturing, retail, and public sector entities where SAP S/4HANA is widely deployed. The disruption of purchase contract accessibility may also impact supplier relationships and contractual obligations. Given the interconnected nature of supply chains in Europe, such disruptions could cascade, affecting broader operational continuity. Additionally, the requirement for authenticated access means insider threats or compromised user accounts could be leveraged to exploit this vulnerability. The absence of known exploits reduces immediate risk, but organizations should not underestimate the potential for targeted attacks aiming to disrupt critical business functions.

European organizations should implement the following specific mitigations: 1) Conduct an immediate audit of user privileges and roles within the SAP S/4HANA Manage Central Purchase Contract application to ensure the principle of least privilege is enforced, minimizing the number of users with access to sensitive functions. 2) Monitor and log all function import executions related to purchase contract entities to detect anomalous or unauthorized activity promptly. 3) Apply SAP security notes and patches as soon as they become available for CVE-2025-42984; in the absence of patches, consider temporary compensating controls such as restricting access to the affected application modules via network segmentation or SAP authorization objects. 4) Implement strong authentication mechanisms, including multi-factor authentication (MFA), to reduce the risk of credential compromise. 5) Conduct regular security training for SAP administrators and users to raise awareness about the risks of privilege misuse. 6) Engage in proactive vulnerability management and penetration testing focused on authorization controls within SAP environments to identify and remediate similar issues. 7) Collaborate with SAP support and security teams to receive timely updates and guidance on this vulnerability.