CVE-2025-43008 is a medium-severity vulnerability identified in SAP SE's SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal products. The root cause is a missing authorization check (CWE-862) that allows an unauthorized user with certain privileges to view files belonging to other companies within the system. This vulnerability specifically impacts the confidentiality of personal data of employees, as unauthorized access to sensitive HR data is possible. The flaw does not affect the integrity or availability of the system, meaning data cannot be altered or deleted, nor can system operations be disrupted through this vulnerability. The affected versions include S4HCMCPT 100 and 101, and SAP_HRCPT 600, 604, and 608. The CVSS v3.1 base score is 5.8, reflecting a medium severity level, with the vector indicating network attack vector (AV:N), high attack complexity (AC:H), high privileges required (PR:H), no user interaction (UI:N), scope changed (S:C), high confidentiality impact (C:H), and no impact on integrity or availability (I:N/A:N). There are no known exploits in the wild at the time of publication, and no patches have been linked yet. The vulnerability is significant because it compromises confidentiality of employee personal data, which is subject to strict data protection regulations, especially in Europe. The missing authorization check means that users with certain privileges but not authorized to access other companies’ data can still view that data, potentially leading to unauthorized disclosure of sensitive information.

For European organizations, this vulnerability poses a significant risk to compliance with the General Data Protection Regulation (GDPR) and other privacy laws, as unauthorized disclosure of employee personal data can lead to regulatory fines, legal liabilities, and reputational damage. Since SAP S/4HANA and SAP ERP HCM Portugal are widely used by multinational companies operating in Portugal and other European countries, the risk of cross-company data leakage is critical. The confidentiality breach could expose sensitive personal information such as identification numbers, payroll data, and other HR-related details. Although the vulnerability does not affect data integrity or system availability, the exposure of personal data alone can have severe consequences including loss of trust by employees and partners, and potential exploitation of the leaked data for identity theft or social engineering attacks. The requirement for high privileges to exploit the vulnerability somewhat limits the attack surface to insiders or compromised privileged accounts, but insider threats and privilege escalation attacks remain a realistic concern. The lack of user interaction needed means that once an attacker has the required privileges, exploitation can be automated or performed stealthily.

Organizations should immediately review and tighten authorization policies and role assignments within their SAP S/4HANA HCM Portugal and SAP ERP HCM Portugal environments to ensure that users do not have excessive privileges that could allow unauthorized data access. Conduct a thorough audit of user privileges focusing on cross-company data access rights. Implement strict segregation of duties to minimize the risk of privilege abuse. Monitor access logs for unusual or unauthorized access patterns to HR data. Since no patches are currently linked, organizations should engage with SAP support to obtain any available security updates or workarounds. Consider implementing additional application-level access controls or data masking for sensitive HR data until a patch is available. Regularly train administrators and privileged users on the importance of access controls and the risks of privilege misuse. Employ network segmentation and strong authentication mechanisms (e.g., multi-factor authentication) for administrative access to reduce the risk of privilege escalation. Finally, prepare an incident response plan specifically addressing potential data breaches involving HR data to ensure rapid containment and notification if exploitation occurs.