Skip to main content

SAP CVE-2025-42982

| EUVD-2025-17604 HIGH
Missing Authorization (CWE-862)
2025-06-10 cna@sap.com
Information Disclosure SAP
8.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 14, 2026 - 19:49 euvd
EUVD-2025-17604
Analysis Generated
Mar 14, 2026 - 19:49 vuln.today
CVE Published
Jun 10, 2025 - 01:15 nvd
HIGH 8.8

DescriptionNVD

SAP GRC allows a non-administrative user to access and initiate transaction which could allow them to modify or control the transmitted system credentials. This causes high impact on confidentiality, integrity and availability of the application.

AnalysisAI

Privilege escalation vulnerability in SAP GRC that allows authenticated non-administrative users to access and initiate transactions capable of modifying system credentials. This critical flaw compromises confidentiality, integrity, and availability across the application, with a CVSS score of 8.8 indicating high severity. The vulnerability requires valid credentials to exploit but has no privilege requirements beyond basic user access, making it a significant risk in environments with broad GRC user bases.

Technical ContextAI

This vulnerability stems from CWE-862 (Missing Authorization), a classic authorization bypass flaw where access control checks fail to properly validate user privileges before allowing sensitive transaction execution in SAP GRC. The affected component handles credential transmission and storage—core security-critical functionality in Governance, Risk, and Compliance platforms. SAP GRC's architecture typically uses role-based access control (RBAC) tied to user profiles; this vulnerability indicates insufficient server-side validation of transaction-level permissions, allowing non-administrative accounts to invoke administrative-level credential management functions. The flaw likely resides in transaction handlers or API endpoints that accept credential modification requests without proper authorization enforcement, treating authenticated users uniformly rather than differentiating permission levels.

RemediationAI

  1. Immediate: Restrict GRC transaction access via role assignments—audit and revoke unnecessary transaction execution rights for non-administrative users, particularly credential-related transactions (e.g., change password, credential storage). 2) Patch: Apply SAP Security Patch Day update addressing CVE-2025-42982 once released; monitor SAP Security Patch Notification Service (https://support.sap.com/en/my-support/security.html). 3) Workaround (pre-patch): Implement custom authorization objects via SAP Authorization Management if available, or restrict GRC module access via transaction codes to administrative roles only. 4) Monitoring: Enable logging/alerting on credential transaction attempts by non-admin users; review audit logs (Security Audit Log) for unauthorized credential access. 5) Access Review: Conduct immediate user access review in GRC; follow least-privilege principle and segregate duties (e.g., GRC auditors should not have credential management rights).

Share

CVE-2025-42982 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy