CVE-2025-42991 is a vulnerability identified in the SAP S/4HANA Bank Account Application, specifically related to missing authorization checks (CWE-862). The flaw allows an authenticated user with the role of 'approver' to delete attachments associated with bank account applications belonging to other users. This occurs because the application does not properly verify whether the approver has the necessary permissions to perform deletion actions on resources owned by others. The vulnerability impacts the integrity of the data, as unauthorized deletion of attachments can alter or remove important documentation linked to bank account applications. However, there is no impact on confidentiality since no sensitive data is exposed, nor on availability since the application remains operational. The CVSS v3.1 base score is 4.3, reflecting a medium severity level. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), and privileges at the level of an authenticated approver user (PR:L). No user interaction is required (UI:N), and the scope is unchanged (S:U). This vulnerability affects SAP S/4HANA version S4CORE 108. No known exploits are currently reported in the wild, and no patches have been linked yet. The issue was reserved in April 2025 and published in June 2025.

For European organizations using SAP S/4HANA, particularly the Bank Account Application module, this vulnerability poses a risk to data integrity within financial workflows. Unauthorized deletion of attachments could disrupt audit trails, compliance documentation, and internal controls related to bank account management. This could lead to regulatory scrutiny, especially under stringent European financial regulations such as GDPR and PSD2, where accurate record-keeping is mandatory. While confidentiality and availability are not directly impacted, the integrity compromise could facilitate fraud or financial mismanagement if malicious insiders exploit this flaw. Organizations relying heavily on SAP S/4HANA for banking or financial operations may face operational disruptions or reputational damage if such unauthorized deletions occur unnoticed. Given the requirement for an authenticated approver role, the threat is more relevant to insider threats or compromised privileged accounts rather than external attackers without credentials.

European organizations should implement the following specific mitigations: 1) Enforce strict role-based access controls (RBAC) and regularly audit approver roles to ensure only necessary personnel have deletion privileges. 2) Implement monitoring and alerting on deletion activities within the Bank Account Application to detect unauthorized or anomalous deletions promptly. 3) Apply SAP security notes and patches as soon as they become available for this CVE to remediate the missing authorization checks. 4) Conduct periodic reviews of attachment management workflows and consider additional application-level logging to maintain traceability of changes. 5) Employ multi-factor authentication (MFA) for approver accounts to reduce the risk of credential compromise. 6) Train staff on the importance of safeguarding privileged accounts and recognizing suspicious activities. 7) If possible, restrict network access to SAP S/4HANA interfaces to trusted internal networks or VPNs to reduce exposure.