कोड इंजेक्शन (Code Injection) भेद्यता SAP S/4HANA और SAP SCM (विशेषता प्रसार - Characteristic Propagation) में
प्लेटफ़ॉर्म
sap
घटक
sap-s-4hana-and-sap-scm-characteristic-propagation
में ठीक किया गया
713.0.1
714.0.1
4.0.1
103.0.1
104.0.1
4.0.1
106.0.1
107.0.1
108.0.1
700.0.1
701.0.1
702.0.1
712.0.1
CVE-2025-42967 describes a remote code execution (RCE) vulnerability within the Characteristic Propagation component of SAP S/4HANA and SAP SCM. This vulnerability allows an attacker with user-level privileges to inject malicious code into a newly created report, potentially leading to complete system compromise. The vulnerability affects versions of SAP SCM and S/4HANA up to and including SCM APO 713. A patch is available to address this critical security flaw.
प्रभाव और हमले की स्थितियाँअनुवाद हो रहा है…
The impact of CVE-2025-42967 is severe. Successful exploitation allows an attacker to execute arbitrary code on the affected SAP system with user privileges. This can lead to complete system takeover, enabling the attacker to access, modify, or delete sensitive data, install malware, or disrupt critical business operations. The ability to create a custom report with malicious code provides a highly effective attack vector, bypassing standard security controls. Given the widespread use of SAP systems in critical infrastructure and enterprise environments, the potential blast radius of this vulnerability is significant. This vulnerability shares similarities with other SAP RCE vulnerabilities where report customization features are exploited to gain unauthorized access and control.
शोषण संदर्भअनुवाद हो रहा है…
CVE-2025-42967 was publicly disclosed on 2025-07-08. Its CVSS score of 9.9 (CRITICAL) indicates a high probability of exploitation. Public proof-of-concept (POC) code may become available, increasing the risk of widespread attacks. It is recommended to prioritize patching this vulnerability. The vulnerability has not yet been added to the CISA KEV catalog, but its criticality warrants close monitoring.
कौन जोखिम में हैअनुवाद हो रहा है…
Organizations heavily reliant on SAP S/4HANA and SAP SCM for critical business processes are at significant risk. This includes industries such as manufacturing, finance, and supply chain management. Systems with legacy configurations or those lacking robust access controls are particularly vulnerable. Shared hosting environments utilizing older SAP versions also present a heightened risk.
पहचान के चरणअनुवाद हो रहा है…
• linux / server:
journalctl -u <sap_service_name> | grep -i "characteristic propagation"• generic web:
curl -I <sap_url>/sap/bc/ui2/ui2/browser?sap-client=<client_id>&fiori=/sap/ui2/view/main.html• database (mysql):
SELECT * FROM <sap_tables> WHERE <column_name> LIKE '%characteristic propagation%';हमले की समयरेखा
- Disclosure
disclosure
खतरा खुफिया
एक्सप्लॉइट स्थिति
EPSS
0.73% (73% शतमक)
CISA SSVC
CVSS वेक्टर
इन मेट्रिक्स का क्या मतलब है?
- Attack Vector
- नेटवर्क — इंटरनेट के माध्यम से दूरस्थ रूप से शोषण योग्य। कोई भौतिक या स्थानीय पहुंच आवश्यक नहीं।
- Attack Complexity
- निम्न — कोई विशेष शर्त नहीं। विश्वसनीय रूप से शोषण योग्य।
- Privileges Required
- निम्न — कोई भी वैध उपयोगकर्ता खाता पर्याप्त है।
- User Interaction
- कोई नहीं — स्वचालित और मूक हमला। पीड़ित कुछ नहीं करता।
- Scope
- बदला हुआ — हमला कमज़ोर घटक से परे अन्य प्रणालियों तक फैल सकता है।
- Confidentiality
- उच्च — पूर्ण गोपनीयता हानि। हमलावर सभी डेटा पढ़ सकता है।
- Integrity
- उच्च — हमलावर कोई भी डेटा लिख, बदल या हटा सकता है।
- Availability
- उच्च — पूर्ण क्रैश या संसाधन समाप्ति। पूर्ण सेवा से इनकार।
प्रभावित सॉफ्टवेयर
कमजोरी वर्गीकरण (CWE)
समयरेखा
- आरक्षित
- प्रकाशित
- संशोधित
- EPSS अद्यतन
शमन और वर्कअराउंडअनुवाद हो रहा है…
The primary mitigation for CVE-2025-42967 is to upgrade to a patched version of SAP S/4HANA and SAP SCM. Refer to the official SAP security note for the specific fixed version. If immediate patching is not possible, consider implementing temporary workarounds such as restricting user privileges related to report creation and modification. Implement strict input validation on any user-supplied data used in report generation. Monitor SAP system logs for suspicious activity related to report creation and execution. After upgrading, confirm the fix by attempting to create a report with potentially malicious code and verifying that the system prevents its execution.
कैसे ठीक करें
कोड इंजेक्शन (Code Injection) भेद्यता को कम करने के लिए SAP द्वारा सुरक्षा नोट्स के माध्यम से प्रदान किए गए अपडेट लागू करें। अधिक विवरण और विशिष्ट निर्देशों के लिए SAP नोट 3618955 देखें।
CVE सुरक्षा न्यूज़लेटर
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
अक्सर पूछे जाने वाले सवालअनुवाद हो रहा है…
What is CVE-2025-42967 — RCE in SAP S/4HANA and SAP SCM?
CVE-2025-42967 is a critical remote code execution vulnerability affecting SAP S/4HANA and SAP SCM versions up to SCM APO 713. It allows attackers with user privileges to execute arbitrary code, potentially gaining full system control.
Am I affected by CVE-2025-42967 in SAP S/4HANA and SAP SCM?
If you are running SAP S/4HANA or SAP SCM versions up to and including SCM APO 713, you are potentially affected by this vulnerability. Check your version against the affected range.
How do I fix CVE-2025-42967 in SAP S/4HANA and SAP SCM?
The recommended fix is to upgrade to a patched version of SAP S/4HANA and SAP SCM. Refer to the official SAP security note for the specific fixed version and upgrade instructions.
Is CVE-2025-42967 being actively exploited?
While active exploitation has not been confirmed, the vulnerability's criticality and public disclosure suggest a high likelihood of exploitation. Proactive patching is strongly recommended.
Where can I find the official SAP advisory for CVE-2025-42967?
Refer to the official SAP Security Notes on the SAP Support Portal for the latest information and advisory regarding CVE-2025-42967.
क्या आपका प्रोजेक्ट प्रभावित है?
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।