CVE-2025-42993 is a vulnerability classified under CWE-862 (Missing Authorization) found in SAP S/4HANA's Enterprise Event Enablement module, specifically affecting SAP_GWFND versions 757 and 758. The flaw arises because the system fails to enforce proper authorization checks when managing the Inbound Binding Configuration. An attacker who already has access to this configuration interface can create a Remote Function Call (RFC) destination and assign it to an arbitrary high-privilege user account. This misconfiguration allows the attacker to consume events via the RFC destination, effectively enabling code execution with the privileges of the assigned high-privilege user. While the vulnerability has a low impact on system availability, it poses a significant threat to confidentiality and integrity, as unauthorized code execution can lead to data breaches, unauthorized data manipulation, or further system compromise. The vulnerability requires the attacker to have high privileges initially but does not require any user interaction, making it a direct privilege escalation vector within the SAP environment. No public exploits have been reported yet, but the medium CVSS score of 6.7 reflects the moderate ease of exploitation combined with the high impact on confidentiality and integrity. The vulnerability was published on June 10, 2025, and remains unpatched as no patch links are provided.

The primary impact of CVE-2025-42993 is on the confidentiality and integrity of SAP S/4HANA systems. An attacker exploiting this vulnerability can execute arbitrary code with high-privilege user rights, potentially leading to unauthorized access to sensitive business data, data manipulation, or disruption of business processes. Although availability impact is low, the ability to escalate privileges and execute code can facilitate further attacks, including data exfiltration, installation of persistent backdoors, or lateral movement within the enterprise network. Organizations relying on SAP S/4HANA for critical enterprise resource planning (ERP) functions may face severe operational and reputational damage if exploited. The requirement for initial high privileges limits the attack surface to insiders or attackers who have already compromised lower-level accounts, but the lack of authorization checks significantly lowers the barrier for privilege escalation. This vulnerability can be particularly damaging in industries with stringent data protection requirements such as finance, healthcare, manufacturing, and government sectors.

To mitigate CVE-2025-42993, organizations should immediately audit and restrict access to the Inbound Binding Configuration interface within SAP S/4HANA, ensuring only trusted administrators have permissions. Implement strict role-based access controls (RBAC) and enforce the principle of least privilege to minimize the number of users with high-level privileges. Monitor and log all changes to RFC destinations and binding configurations to detect unauthorized modifications. Since no official patches are available yet, consider deploying compensating controls such as network segmentation to isolate SAP systems and limit exposure to potentially compromised accounts. Regularly review SAP security notes and vendor advisories for updates or patches addressing this vulnerability. Additionally, conduct internal penetration testing and code reviews focused on authorization checks within SAP modules to identify and remediate similar weaknesses proactively. Employ SAP’s security audit logs and event monitoring tools to detect suspicious activity related to RFC destination creation or event consumption.