CVE-2025-42916
HIGHSAP S/4HANA (Private Cloud or On-Premise) - Arbitrary Database Table Content Deletion via ABAP Reports
Title source: llmDescription
Due to missing input validation, an attacker with high privilege access to ABAP reports could delete the content of arbitrary database tables, if the tables are not protected by an authorization group. This leads to a high impact on integrity and availability of the database but no impact on confidentiality.
References (2)
Core 2
Core References
Vendor Advisory
https://me.sap.com/notes/3635475
Vendor Advisory
https://url.sap/sapsecuritypatchday
Scores
CVSS v3
8.1
EPSS
0.0025
EPSS Percentile
15.9%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-1287
Status
published
Products (7)
SAP_SE/SAP S/4HANA (Private Cloud or On-Premise)
103
SAP_SE/SAP S/4HANA (Private Cloud or On-Premise)
104
SAP_SE/SAP S/4HANA (Private Cloud or On-Premise)
105
SAP_SE/SAP S/4HANA (Private Cloud or On-Premise)
106
SAP_SE/SAP S/4HANA (Private Cloud or On-Premise)
107
SAP_SE/SAP S/4HANA (Private Cloud or On-Premise)
108
SAP_SE/SAP S/4HANA (Private Cloud or On-Premise)
S4CORE 102
Published
Sep 09, 2025
Tracked Since
Feb 18, 2026