CVE-2025-42984

Vulnerability

CVE-2025-42984 is an authorization bypass vulnerability in SAP S/4HANA's Manage Central Purchase Contract functionality. The application fails to perform necessary authorization checks for an authenticated user when executing function import on the entity [1]. This missing check means that even a low-privileged authenticated user can trigger operations that should be restricted.

Exploitation

An authenticated attacker with minimal privileges can exploit this flaw by invoking the function import on the central purchase contract entity without proper authorization validation [1]. No special network position or additional authentication is needed beyond being a valid, authenticated user of the system.

Impact

Successful exploitation makes the contract entity inaccessible for unrestricted users — effectively causing a denial of service on part of the application. The official description rates the confidentiality and availability impact as low [1].

Mitigation

SAP has addressed this issue via a Security Note published on the June 2025 SAP Security Patch Day. Customers are advised to apply the relevant patch as soon as possible to protect their systems [1].