CVE-2025-42991

The vulnerability resides in SAP S/4HANA's Bank Account Application component. Due to missing authorization checks, the application fails to verify that an authenticated user with the 'approver' role has the proper permissions to delete attachments belonging to other users. This is an authorization bypass issue.

An attacker who is an authenticated user with the 'approver' role can exploit this by sending a crafted request to delete an attachment from a bank account application that belongs to another user. No special network position is required beyond normal authenticated access. The attack does not require any additional privileges beyond the 'approver' role.

Successful exploitation allows the attacker to delete attachments of other users, leading to a low impact on integrity. The confidentiality and availability of the application are not affected. The deleted attachments could be important documents related to bank account applications.

SAP has released a security note as part of its monthly Security Patch Day to address this vulnerability [1]. Users are advised to apply the relevant patch as soon as possible. No workarounds are mentioned. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog as of publication.