"The attacker needs only low-level credentials on the SAP system (any valid user account with permissions to call the vulnerable RFC module and the specific S_DMIS authorization with activity 02), and no user interaction is required. The attack complexity is low and can be performed over the network, which is why the CVSS score is so high (9.9)."
"Other vulnerabilities SAP reported Tuesday affected a range of products, including SAP Business One, SAP Landscape Transformation Replication Server, SAP Commerce Cloud, SAP Datahub, SAP Business Planning and Consolidation, SAP HCM, SAP BusinessObjects Business Intelligence Platform, SAP Supplier Relationship Management, and Fiori. Severity ratings of those vulnerabilities range from 3.1 to 8.8. All vulnerabilities mentioned in this post, particularly those with high severity ratings, should be patched as soon as possible. SAP has more information on its security page."
CVE-2025-42957 permits attackers with only low-level SAP credentials and permission to call the vulnerable RFC module plus the S_DMIS authorization with activity 02 to gain unauthorized access and escalate privileges without user interaction. The exploit has low complexity, can be performed over the network, and carries a CVSS score of 9.9, enabling fraud, data theft, espionage, or ransomware installation. SAP described the flaw as a backdoor that jeopardizes confidentiality, integrity, and availability and warned of severe compromise without immediate mitigation. Multiple other SAP products have vulnerabilities with severities from 3.1 to 8.8 and should be patched promptly.
Read at Ars Technica
Unable to calculate read time
Collection
[
|
...
]