CVE-2025-25244: Missing Authorization Check in SAP Business Warehouse (Process Chains)
Description
SAP Business Warehouse (Process Chains) allows an attacker to manipulate the process execution due to missing authorization check. An attacker with display authorization for the process chain object could set one or all processes to be skipped. This means corresponding activities, such as data loading, activation, or deletion, will not be executed as initially modeled. This could lead to unexpected results in business reporting leading to a significant impact on integrity. However, there is no impact on confidentiality or availability.
Classification
CVE ID: CVE-2025-25244
CVSS Base Severity: MEDIUM
CVSS Base Score: 5.7
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Problem Types
CWE-862: Missing AuthorizationAffected Products
Vendor: SAP_SE
Product: SAP Business Warehouse (Process Chains)
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.02% (probability of being exploited)
EPSS Percentile: 3.39% (scored less or equal to compared to others)
EPSS Date: 2025-04-08 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2025-25244https://me.sap.com/notes/3552144
https://url.sap/sapsecuritypatchday