CVE-2025-42991
📋 TL;DR
SAP S/4HANA Bank Account Application has an authorization vulnerability where authenticated 'approver' users can delete attachments from other users' bank account applications. This affects organizations using SAP S/4HANA with the Bank Account Application module. The vulnerability allows unauthorized data modification but doesn't compromise confidentiality or availability.
💻 Affected Systems
- SAP S/4HANA Bank Account Application
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Malicious approver systematically deletes critical financial documentation from multiple bank accounts, causing operational disruption and potential compliance violations.
Likely Case
Accidental or intentional deletion of bank account attachments by approvers who shouldn't have that permission, requiring manual restoration and audit trail correction.
If Mitigated
Minimal impact with proper segregation of duties and audit logging in place to detect and reverse unauthorized deletions.
🎯 Exploit Status
Exploitation requires authenticated approver access and knowledge of other users' bank account applications.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: See SAP Note 3608058 for specific patch information
Vendor Advisory: https://me.sap.com/notes/3608058
Restart Required: Yes
Instructions:
1. Review SAP Note 3608058 for patch details. 2. Apply the SAP security patch via SAP Solution Manager or manual transport. 3. Restart affected SAP services. 4. Verify authorization checks are now enforced.
🔧 Temporary Workarounds
Temporary Role Restriction
allTemporarily remove delete attachment permissions from approver roles until patch is applied.
Use SAP transaction PFCG to modify approver role authorizations
🧯 If You Can't Patch
- Implement strict segregation of duties and limit approver access to only necessary users.
- Enable detailed audit logging for all attachment deletion activities and implement regular review processes.
🔍 How to Verify
Check if Vulnerable:
Test if approver users can delete attachments from bank account applications belonging to other users.Check Version:
Check SAP system version via transaction SM51 or SMICMVerify Fix Applied:
After patching, verify approver users can only delete attachments from their authorized bank accounts.📡 Detection & Monitoring
Log Indicators:
- Unusual attachment deletion patterns in SAP audit logs
- Multiple attachment deletions by single approver across different accounts
Network Indicators:
- HTTP POST requests to attachment deletion endpoints with unauthorized account parameters
SIEM Query:
source="sap_audit_log" AND event="attachment_delete" AND user_role="approver" AND account_owner!=user