CVE-2025-26656
📋 TL;DR
This vulnerability in SAP's Manage Purchasing Info Records OData service allows authenticated users to escalate privileges due to missing authorization checks. It affects SAP systems with this specific service enabled. While it has low integrity impact, it enables unauthorized access to purchasing data.
💻 Affected Systems
- SAP S/4HANA
- SAP ERP
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could gain administrative privileges over purchasing information records, potentially modifying vendor data, pricing information, or purchase order workflows.
Likely Case
Authenticated users with limited permissions could access purchasing data they shouldn't see, potentially exposing sensitive vendor information or contract details.
If Mitigated
With proper network segmentation and strict authentication controls, impact is limited to authorized users within the SAP environment.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of OData service endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: See SAP Note 3474392 for specific patch versions
Vendor Advisory: https://me.sap.com/notes/3474392
Restart Required: Yes
Instructions:
1. Review SAP Note 3474392 for your specific SAP version. 2. Apply the security patch via SAP Solution Manager or manual update. 3. Restart affected SAP services. 4. Verify authorization checks are now enforced.
🔧 Temporary Workarounds
Disable OData Service
allTemporarily disable the vulnerable OData service if not required for business operations
Transaction SICF: Deactivate /sap/opu/odata/sap/MANAGE_PURCHASING_INFO_RECORDS_SRV
Restrict Network Access
allLimit network access to SAP OData services to authorized users only
Configure firewall rules to restrict access to SAP OData ports (typically 443)
🧯 If You Can't Patch
- Implement strict role-based access control (RBAC) to limit which users can access purchasing functions
- Enable detailed auditing of OData service access and monitor for unauthorized privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check if system has SAP Note 3474392 applied via transaction SNOTE or check version against affected versions in SAP NoteCheck Version:
Transaction SM51 or SM50 to check SAP kernel and application server versionsVerify Fix Applied:
Test authorization checks by attempting to access purchasing info records with non-authorized user accounts📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to /sap/opu/odata/sap/MANAGE_PURCHASING_INFO_RECORDS_SRV in security audit logs
- User privilege escalation events in STAD or SM21 logs
Network Indicators:
- Unusual OData requests to purchasing endpoints from non-purchasing department IPs
SIEM Query:
source="sap_audit_log" AND (uri_path="/sap/opu/odata/sap/MANAGE_PURCHASING_INFO_RECORDS_SRV/*" AND user_role!="PURCHASING_ADMIN")