CVE-2025-43003

MEDIUM

SAP S/4 HANA - Privilege Escalation

Title source: llm

Description

SAP S/4 HANA allows an authenticated attacker with user privileges to configure a field not intended for their access and create a custom UI layout displaying this field. On performing this step the attacker could gain access to highly sensitive information. This could cause a high impact on confidentiality and minimal impact on integrity and availability of the application.

References (2)

[Vendor Advisory] https://me.sap.com/notes/3596033

[Vendor Advisory] https://url.sap/sapsecuritypatchday

Scores

CVSS v3 6.4

EPSS 0.0022

EPSS Percentile 44.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-749

Status published

Products (9)

SAP_SE/SAP S/4HANA (Private Cloud & On-Premise) 108

SAP_SE/SAP S/4HANA (Private Cloud & On-Premise) 205

SAP_SE/SAP S/4HANA (Private Cloud & On-Premise) 206

SAP_SE/SAP S/4HANA (Private Cloud & On-Premise) 712

SAP_SE/SAP S/4HANA (Private Cloud & On-Premise) 713

SAP_SE/SAP S/4HANA (Private Cloud & On-Premise) 714

SAP_SE/SAP S/4HANA (Private Cloud & On-Premise) BBPCRM 702

SAP_SE/SAP S/4HANA (Private Cloud & On-Premise) S4CEXT 107

SAP_SE/SAP S/4HANA (Private Cloud & On-Premise) S4CRM 204

Published May 13, 2025

Tracked Since Feb 18, 2026