CVE-2025-23188

Vulnerability

Overview

CVE-2025-23188 describes a missing authorization check in an IBS module of SAP FS-RBD (Financial Services - Risk and Benefit Determination). The root cause is that the module fails to verify whether an authenticated user has the necessary permissions to perform certain actions, allowing users with low privileges to execute operations beyond their intended scope [1].

Exploitation

Conditions

To exploit this vulnerability, an attacker must be authenticated to the SAP system with low privileges. No additional network access or special positioning is required beyond standard authenticated access. The missing authorization check can be triggered through the IBS module, potentially via crafted requests that bypass the intended permission validation [1].

Impact

Successful exploitation results in a low impact on integrity, meaning the attacker may be able to modify data or perform actions that compromise data integrity. However, there is no impact on confidentiality or availability. The vulnerability does not allow reading sensitive data or causing denial of service [1].

Mitigation

SAP has addressed this vulnerability as part of its regular Security Patch Day. Users are advised to apply the relevant SAP Security Note to remediate the issue. No workarounds have been published, and the fix should be implemented promptly [1].