{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-42993", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2025-04-16T13:25:50.941Z", "datePublished": "2025-06-10T00:13:15.633Z", "dateUpdated": "2026-02-26T17:51:05.634Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SAP S/4HANA (Enterprise Event Enablement)", "vendor": "SAP_SE", "versions": [{"status": "affected", "version": "SAP_GWFND 757"}, {"status": "affected", "version": "758"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Due to a missing authorization check vulnerability in SAP S/4HANA (Enterprise Event Enablement), an attacker with access to the Inbound Binding Configuration could create an RFC destination and assign an arbitrary high-privilege user. This allows the attacker to consume events via the RFC destination, leading to code execution under the privileges of the assigned high-privilege user. While the vulnerability has a low impact on Availability, it significantly poses a high risk to both Confidentiality and Integrity.</p>"}], "value": "Due to a missing authorization check vulnerability in SAP S/4HANA (Enterprise Event Enablement), an attacker with access to the Inbound Binding Configuration could create an RFC destination and assign an arbitrary high-privilege user. This allows the attacker to consume events via the RFC destination, leading to code execution under the privileges of the assigned high-privilege user. While the vulnerability has a low impact on Availability, it significantly poses a high risk to both Confidentiality and Integrity."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "CWE-862: Missing Authorization", "lang": "eng", "type": "CWE"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2025-06-10T00:13:15.633Z"}, "references": [{"url": "https://me.sap.com/notes/3580384"}, {"url": "https://url.sap/sapsecuritypatchday"}], "source": {"discovery": "UNKNOWN"}, "title": "Missing Authorization Check in SAP S/4HANA (Enterprise Event Enablement)", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-42993", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-06-11T04:01:29.029975Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T17:51:05.634Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-42993", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-06-11T04:01:29.029975Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-10T13:36:42.467Z"}}], "cna": {"title": "Missing Authorization Check in SAP S/4HANA (Enterprise Event Enablement)", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SAP_SE", "product": "SAP S/4HANA (Enterprise Event Enablement)", "versions": [{"status": "affected", "version": "SAP_GWFND 757"}, {"status": "affected", "version": "758"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://me.sap.com/notes/3580384"}, {"url": "https://url.sap/sapsecuritypatchday"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Due to a missing authorization check vulnerability in SAP S/4HANA (Enterprise Event Enablement), an attacker with access to the Inbound Binding Configuration could create an RFC destination and assign an arbitrary high-privilege user. This allows the attacker to consume events via the RFC destination, leading to code execution under the privileges of the assigned high-privilege user. While the vulnerability has a low impact on Availability, it significantly poses a high risk to both Confidentiality and Integrity.", "supportingMedia": [{"type": "text/html", "value": "<p>Due to a missing authorization check vulnerability in SAP S/4HANA (Enterprise Event Enablement), an attacker with access to the Inbound Binding Configuration could create an RFC destination and assign an arbitrary high-privilege user. This allows the attacker to consume events via the RFC destination, leading to code execution under the privileges of the assigned high-privilege user. While the vulnerability has a low impact on Availability, it significantly poses a high risk to both Confidentiality and Integrity.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "eng", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2025-06-10T00:13:15.633Z"}}}, "cveMetadata": {"cveId": "CVE-2025-42993", "state": "PUBLISHED", "dateUpdated": "2026-02-26T17:51:05.634Z", "dateReserved": "2025-04-16T13:25:50.941Z", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "datePublished": "2025-06-10T00:13:15.633Z", "assignerShortName": "sap"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Due to a missing authorization check vulnerability in SAP S/4HANA (Enterprise Event Enablement), an attacker with access to the Inbound Binding Configuration could create an RFC destination and assign an arbitrary high-privilege user. This allows the attacker to consume events via the RFC destination, leading to code execution under the privileges of the assigned high-privilege user. While the vulnerability has a low impact on Availability, it significantly poses a high risk to both Confidentiality and Integrity."}, {"lang": "es", "value": "Debido a una vulnerabilidad de falta de comprobaci\u00f3n de autorizaci\u00f3n en SAP S/4HANA (Enterprise Event Enablement), un atacante con acceso a la configuraci\u00f3n de enlace entrante podr\u00eda crear un destino RFC y asignar un usuario arbitrario con privilegios altos. Esto le permite consumir eventos a trav\u00e9s del destino RFC, lo que provoca la ejecuci\u00f3n de c\u00f3digo con los privilegios del usuario con privilegios altos asignado. Si bien la vulnerabilidad tiene un impacto bajo en la disponibilidad, representa un riesgo significativo tanto para la confidencialidad como para la integridad."}], "id": "CVE-2025-42993", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.5, "source": "cna@sap.com", "type": "Secondary"}]}, "published": "2025-06-10T01:15:22.667", "references": [{"source": "cna@sap.com", "url": "https://me.sap.com/notes/3580384"}, {"source": "cna@sap.com", "url": "https://url.sap/sapsecuritypatchday"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "cna@sap.com", "type": "Secondary"}]}

{}

{}