CVE-2025-27432: Missing Authorization check in SAP Electronic Invoicing for Brazil (eDocument Cockpit)

2.4 CVSS

Description

The eDocument Cockpit (Inbound NF-e) in SAP Electronic Invoicing for Brazil allows an authenticated attacker with certain privileges to gain unauthorized access to each transaction. By executing the specific ABAP method within the ABAP system, an unauthorized attacker could call each transaction and view the inbound delivery details. This vulnerability has a low impact on the confidentiality with no effect on the integrity and the availability of the application.

Classification

CVE ID: CVE-2025-27432

CVSS Base Severity: LOW

CVSS Base Score: 2.4

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Problem Types

CWE-862: Missing Authorization

Affected Products

Vendor: SAP_SE

Product: SAP Electronic Invoicing for Brazil (eDocument Cockpit)

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 2.91% (scored less or equal to compared to others)

EPSS Date: 2025-04-08 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-27432
https://me.sap.com/notes/3568865
https://url.sap/sapsecuritypatchday

Timeline

2025-03-11 01:40:18 UTC
CVE

Missing Authorization check in SAP Electronic Invoicing for Brazil (eDocument Cockpit)