CVE-2025-42946: Directory Traversal in SAP S/4HANA

The primary impact of CVE-2025-42946 stems from the potential for unauthorized access to sensitive operating system files. An attacker, possessing high privileges and access to a specific transaction and method within Bank Communication Management, could leverage this vulnerability to read or even delete critical system files. While the vulnerability does not directly impact system availability, the compromise of sensitive data or the disruption of system functionality through file manipulation could have significant consequences. The ability to read OS files could expose configuration details, credentials, or other sensitive information, enabling further attacks. Deletion of critical files could lead to system instability or denial of service, although the description explicitly states no direct impact on availability. This vulnerability highlights the importance of robust access controls and regular security audits within SAP S/4HANA environments.

1. Reserved2025-04-16
2. Published2025-08-12
3. Modified2025-08-13
4. EPSS updated2026-03-23

The primary mitigation for CVE-2025-42946 is to upgrade to SAP S/4HANA version 617.0.1 or later, which includes the necessary patch to address the directory traversal vulnerability. Prior to upgrading, it's crucial to review SAP's upgrade documentation and perform thorough testing in a non-production environment to ensure compatibility and avoid any unexpected disruptions. If an immediate upgrade is not feasible, consider implementing stricter access controls within Bank Communication Management to limit the privileges of users and restrict access to sensitive transactions and methods. While a WAF or proxy cannot directly prevent directory traversal, they can be configured to monitor for suspicious patterns and block requests that attempt to access unauthorized files. Regularly review system logs for any signs of unusual activity or attempted file access.