Platform
sap
Component
sap-s-4hana-and-sap-scm-characteristic-propagation
Fixed in
713.0.1
714.0.1
4.0.1
103.0.1
104.0.1
4.0.1
106.0.1
107.0.1
108.0.1
700.0.1
701.0.1
702.0.1
712.0.1
CVE-2025-42967 describes a remote code execution (RCE) vulnerability within the Characteristic Propagation component of SAP S/4HANA and SAP SCM. This vulnerability allows an attacker with user-level privileges to inject malicious code into a newly created report, potentially leading to complete system compromise. The vulnerability affects versions of SAP SCM and S/4HANA up to and including SCM APO 713. A patch is available to address this critical security flaw.
The impact of CVE-2025-42967 is severe. Successful exploitation allows an attacker to execute arbitrary code on the affected SAP system with user privileges. This can lead to complete system takeover, enabling the attacker to access, modify, or delete sensitive data, install malware, or disrupt critical business operations. The ability to create a custom report with malicious code provides a highly effective attack vector, bypassing standard security controls. Given the widespread use of SAP systems in critical infrastructure and enterprise environments, the potential blast radius of this vulnerability is significant. This vulnerability shares similarities with other SAP RCE vulnerabilities where report customization features are exploited to gain unauthorized access and control.
CVE-2025-42967 was publicly disclosed on 2025-07-08. Its CVSS score of 9.9 (CRITICAL) indicates a high probability of exploitation. Public proof-of-concept (POC) code may become available, increasing the risk of widespread attacks. It is recommended to prioritize patching this vulnerability. The vulnerability has not yet been added to the CISA KEV catalog, but its criticality warrants close monitoring.
Exploit Status
EPSS
0.73% (73% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-42967 is to upgrade to a patched version of SAP S/4HANA and SAP SCM. Refer to the official SAP security note for the specific fixed version. If immediate patching is not possible, consider implementing temporary workarounds such as restricting user privileges related to report creation and modification. Implement strict input validation on any user-supplied data used in report generation. Monitor SAP system logs for suspicious activity related to report creation and execution. After upgrading, confirm the fix by attempting to create a report with potentially malicious code and verifying that the system prevents its execution.
Apply the updates provided by SAP through the corresponding security notes to mitigate the code injection vulnerability. Refer to SAP note 3618955 for more details and specific instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-42967 is a critical remote code execution vulnerability affecting SAP S/4HANA and SAP SCM versions up to SCM APO 713. It allows attackers with user privileges to execute arbitrary code, potentially gaining full system control.
If you are running SAP S/4HANA or SAP SCM versions up to and including SCM APO 713, you are potentially affected by this vulnerability. Check your version against the affected range.
The recommended fix is to upgrade to a patched version of SAP S/4HANA and SAP SCM. Refer to the official SAP security note for the specific fixed version and upgrade instructions.
While active exploitation has not been confirmed, the vulnerability's criticality and public disclosure suggest a high likelihood of exploitation. Proactive patching is strongly recommended.
Refer to the official SAP Security Notes on the SAP Support Portal for the latest information and advisory regarding CVE-2025-42967.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.