CVE-2025-42912

Vulnerability

Overview

CVE-2025-42912 is a missing authorization check vulnerability in the SAP HCM My Timesheet Fiori 2.0 application. The application does not perform necessary authorization checks for authenticated users, leading to an escalation of privileges. The underlying root cause is the absence of proper access control enforcement in the application's business logic, allowing a user to perform actions that should be restricted to higher-privileged roles [1].

Exploitation

Conditions

An attacker must first be an authenticated user of the SAP HCM My Timesheet Fiori 2.0 application. No additional privileges are required initially. The exploit is carried out by sending crafted requests to the application that trigger the missing authorization checks. The attack vector is over the network, and the vulnerability can be exploited without any user interaction or special conditions beyond valid credentials [1].

Impact and

Mitigation

Successful exploitation allows the attacker to perform unauthorized actions within the application, primarily impacting the integrity of the application's data. Confidentiality and availability are not affected. The CVSS v3 base score of 6.5 (Medium) reflects this significant integrity impact. SAP has released security patches as part of its regular Patch Day cycle; users are advised to apply the relevant SAP Security Notes to remediate this vulnerability [1].