CVE-2025-42910
CRITICALSAP Supplier Relationship Management - File Upload
Title source: llmDescription
Due to missing verification of file type or content, SAP Supplier Relationship Management allows an authenticated attacker to upload arbitrary files. These files could include executables which might be downloaded and executed by the user which could host malware. On successful exploitation an attacker could cause high impact on confidentiality, integrity and availability of the application.
References (2)
Core 2
Core References
Vendor Advisory
https://me.sap.com/notes/3647332
Vendor Advisory
https://url.sap/sapsecuritypatchday
Scores
CVSS v3
9.0
EPSS
0.0004
EPSS Percentile
12.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-434
Status
published
Products (2)
SAP_SE/SAP Supplier Relationship Management
150
SAP_SE/SAP Supplier Relationship Management
SRMNXP01 100
Published
Oct 14, 2025
Tracked Since
Feb 18, 2026