Skip to main content

CVE-2025-43008: CWE-862: Missing Authorization in SAP_SE SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal

Medium
VulnerabilityCVE-2025-43008cvecve-2025-43008cwe-862
Published: Tue May 13 2025 (05/13/2025, 00:19:30 UTC)
Source: CVE
Vendor/Project: SAP_SE
Product: SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal

Description

Due to missing authorization check, an unauthorized user can view the files of other company. This might lead to disclosure of personal data of employees. There is no impact on integrity and availability.

AI-Powered Analysis

AILast updated: 07/12/2025, 02:01:12 UTC

Technical Analysis

CVE-2025-43008 is a medium-severity vulnerability identified in SAP SE's SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal products. The root cause is a missing authorization check (CWE-862) that allows an unauthorized user with certain privileges to view files belonging to other companies within the system. This vulnerability specifically impacts the confidentiality of personal data of employees, as unauthorized access to sensitive HR data is possible. The flaw does not affect the integrity or availability of the system, meaning data cannot be altered or deleted, nor can system operations be disrupted through this vulnerability. The affected versions include S4HCMCPT 100 and 101, and SAP_HRCPT 600, 604, and 608. The CVSS v3.1 base score is 5.8, reflecting a medium severity level, with the vector indicating network attack vector (AV:N), high attack complexity (AC:H), high privileges required (PR:H), no user interaction (UI:N), scope changed (S:C), high confidentiality impact (C:H), and no impact on integrity or availability (I:N/A:N). There are no known exploits in the wild at the time of publication, and no patches have been linked yet. The vulnerability is significant because it compromises confidentiality of employee personal data, which is subject to strict data protection regulations, especially in Europe. The missing authorization check means that users with certain privileges but not authorized to access other companies’ data can still view that data, potentially leading to unauthorized disclosure of sensitive information.

Potential Impact

For European organizations, this vulnerability poses a significant risk to compliance with the General Data Protection Regulation (GDPR) and other privacy laws, as unauthorized disclosure of employee personal data can lead to regulatory fines, legal liabilities, and reputational damage. Since SAP S/4HANA and SAP ERP HCM Portugal are widely used by multinational companies operating in Portugal and other European countries, the risk of cross-company data leakage is critical. The confidentiality breach could expose sensitive personal information such as identification numbers, payroll data, and other HR-related details. Although the vulnerability does not affect data integrity or system availability, the exposure of personal data alone can have severe consequences including loss of trust by employees and partners, and potential exploitation of the leaked data for identity theft or social engineering attacks. The requirement for high privileges to exploit the vulnerability somewhat limits the attack surface to insiders or compromised privileged accounts, but insider threats and privilege escalation attacks remain a realistic concern. The lack of user interaction needed means that once an attacker has the required privileges, exploitation can be automated or performed stealthily.

Mitigation Recommendations

Organizations should immediately review and tighten authorization policies and role assignments within their SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal environments to ensure that users do not have excessive privileges that could allow unauthorized data access. Conduct a thorough audit of user privileges focusing on cross-company data access rights. Implement strict segregation of duties to minimize the risk of privilege abuse. Monitor access logs for unusual or unauthorized access patterns to HR data. Since no patches are currently linked, organizations should engage with SAP support to obtain any available security updates or workarounds. Consider implementing additional application-level access controls or data masking for sensitive HR data until a patch is available. Regularly train administrators and privileged users on the importance of access controls and the risks of privilege misuse. Employ network segmentation and strong authentication mechanisms (e.g., multi-factor authentication) for administrative access to reduce the risk of privilege escalation. Finally, prepare an incident response plan specifically addressing potential data breaches involving HR data to ensure rapid containment and notification if exploitation occurs.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
sap
Date Reserved
2025-04-16T13:25:53.589Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682d9816c4522896dcbd6563

Added to database: 5/21/2025, 9:08:38 AM

Last enriched: 7/12/2025, 2:01:12 AM

Last updated: 8/15/2025, 12:07:44 AM

Views: 19

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats