CVE-2025-42982

| EUVD-2025-17604 HIGH
2025-06-10 [email protected]
8.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 14, 2026 - 19:49 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 19:49 euvd
EUVD-2025-17604
CVE Published
Jun 10, 2025 - 01:15 nvd
HIGH 8.8

Tags

Sap Information Disclosure

Description

SAP GRC allows a non-administrative user to access and initiate transaction which could allow them to modify or control the transmitted system credentials. This causes high impact on confidentiality, integrity and availability of the application.

Analysis

Privilege escalation vulnerability in SAP GRC that allows authenticated non-administrative users to access and initiate transactions capable of modifying system credentials. This critical flaw compromises confidentiality, integrity, and availability across the application, with a CVSS score of 8.8 indicating high severity. The vulnerability requires valid credentials to exploit but has no privilege requirements beyond basic user access, making it a significant risk in environments with broad GRC user bases.

Technical Context

This vulnerability stems from CWE-862 (Missing Authorization), a classic authorization bypass flaw where access control checks fail to properly validate user privileges before allowing sensitive transaction execution in SAP GRC. The affected component handles credential transmission and storage—core security-critical functionality in Governance, Risk, and Compliance platforms. SAP GRC's architecture typically uses role-based access control (RBAC) tied to user profiles; this vulnerability indicates insufficient server-side validation of transaction-level permissions, allowing non-administrative accounts to invoke administrative-level credential management functions. The flaw likely resides in transaction handlers or API endpoints that accept credential modification requests without proper authorization enforcement, treating authenticated users uniformly rather than differentiating permission levels.

Affected Products

SAP GRC (specific version range not provided in available data). Likely affected versions include SAP GRC 10.x and SAP GRC 12.x based on typical vulnerability patterns, though this must be confirmed against SAP Security Patch Day advisories. The vulnerability affects all deployment models where non-administrative users have legitimate GRC access (on-premise, cloud). CPE string pattern: cpe:2.3:a:sap:governance_risk_and_compliance:*:*:*:*:*:*:*:* (version range TBD by SAP advisory). Organizations should cross-reference SAP Security Advisory and apply version-specific mitigations immediately.

Remediation

1) **Immediate**: Restrict GRC transaction access via role assignments—audit and revoke unnecessary transaction execution rights for non-administrative users, particularly credential-related transactions (e.g., change password, credential storage). 2) **Patch**: Apply SAP Security Patch Day update addressing CVE-2025-42982 once released; monitor SAP Security Patch Notification Service (https://support.sap.com/en/my-support/security.html). 3) **Workaround (pre-patch)**: Implement custom authorization objects via SAP Authorization Management if available, or restrict GRC module access via transaction codes to administrative roles only. 4) **Monitoring**: Enable logging/alerting on credential transaction attempts by non-admin users; review audit logs (Security Audit Log) for unauthorized credential access. 5) **Access Review**: Conduct immediate user access review in GRC; follow least-privilege principle and segregate duties (e.g., GRC auditors should not have credential management rights).

Priority Score

44
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +44
POC: 0

Share

CVE-2025-42982 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy