プラットフォーム
sap
コンポーネント
sap-s-4hana-bank-communication-management
修正版
606.0.1
617.0.1
618.0.1
720.0.1
730.0.1
4.0.1
103.0.1
104.0.1
105.0.1
106.0.1
107.0.1
108.0.1
CVE-2025-42946 represents a directory traversal vulnerability identified within the Bank Communication Management component of SAP S/4HANA. This flaw allows an authenticated attacker with elevated privileges to potentially access sensitive operating system files. The vulnerability impacts SAP S/4HANA versions 606–SAP_FIN 617. A patch is available, resolving the issue and mitigating the risk of unauthorized file access.
The primary impact of CVE-2025-42946 stems from the potential for unauthorized access to sensitive operating system files. An attacker, possessing high privileges and access to a specific transaction and method within Bank Communication Management, could leverage this vulnerability to read or even delete critical system files. While the vulnerability does not directly impact system availability, the compromise of sensitive data or the disruption of system functionality through file manipulation could have significant consequences. The ability to read OS files could expose configuration details, credentials, or other sensitive information, enabling further attacks. Deletion of critical files could lead to system instability or denial of service, although the description explicitly states no direct impact on availability. This vulnerability highlights the importance of robust access controls and regular security audits within SAP S/4HANA environments.
CVE-2025-42946 was published on August 12, 2025. Its CVSS score of 6.9 indicates a medium severity. Currently, there are no publicly known proof-of-concept exploits available. The vulnerability is not listed on KEV (Knowledge Base for Endpoint Vulnerabilities) or EPSS (Exploit Prediction Scoring System) as of the publication date, suggesting a low to medium probability of exploitation in the short term. However, given the potential for significant data exposure, organizations should prioritize remediation.
エクスプロイト状況
EPSS
0.08% (24% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-42946 is to upgrade to SAP S/4HANA version 617.0.1 or later, which includes the necessary patch to address the directory traversal vulnerability. Prior to upgrading, it's crucial to review SAP's upgrade documentation and perform thorough testing in a non-production environment to ensure compatibility and avoid any unexpected disruptions. If an immediate upgrade is not feasible, consider implementing stricter access controls within Bank Communication Management to limit the privileges of users and restrict access to sensitive transactions and methods. While a WAF or proxy cannot directly prevent directory traversal, they can be configured to monitor for suspicious patterns and block requests that attempt to access unauthorized files. Regularly review system logs for any signs of unusual activity or attempted file access.
Aplicar las actualizaciones de seguridad proporcionadas por SAP para corregir la vulnerabilidad de recorrido de directorios en Bank Communication Management. Consulte la nota SAP 3614804 para obtener más detalles e instrucciones específicas sobre la actualización. Limitar el acceso a la transacción y método afectados en Bank Communication Management para reducir el riesgo de explotación.
脆弱性分析と重要アラートをメールでお届けします。
It's a directory traversal vulnerability in SAP S/4HANA's Bank Communication Management, allowing unauthorized access to OS files.
If you're running SAP S/4HANA versions 606–SAP_FIN 617, you are potentially affected. Check your version and apply the patch.
Upgrade to SAP S/4HANA version 617.0.1 or later. Prior to upgrading, test in a non-production environment.
As of the publication date, there are no publicly known exploits or active campaigns targeting this vulnerability.
Refer to the official SAP Security Notes and the National Vulnerability Database (NVD) entry for CVE-2025-42946 for detailed information.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。