CVE-2025-42915

Vulnerability

Overview

The Fiori application "Manage Payment Blocks" fails to perform necessary authorization checks, as described in CVE-2025-42915. This means the application does not verify whether a user has the appropriate permissions before allowing access to certain functionalities. The root cause is a classic missing authorization vulnerability, where the application relies on the user interface or client-side restrictions rather than enforcing server-side access controls.

Exploitation

An attacker with basic user privileges can exploit this flaw by directly accessing or invoking functionalities that should be restricted to specific user groups. No special authentication or network position is required beyond having a valid low-privileged account in the SAP system. The attack surface is the Manage Payment Blocks Fiori app itself, and the attacker can abuse the missing checks to perform actions they are not authorized for.

Impact

Successful exploitation can impact both the confidentiality and integrity of the application. The attacker may be able to view sensitive payment block data (confidentiality) or modify payment block settings (integrity). The availability of the application is not affected, as per the description.

Mitigation

SAP has released security patches as part of its regular Security Patch Day [1]. Organizations running the SAP software should apply the relevant SAP Security Note to correct the authorization checks. There is no workaround is mentioned; patching is the recommended action.