CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-42982: Information Disclosure in SAP GRC (AC Plugin)

8.8 CVSS

Description

SAP GRC allows a non-administrative user to access and initiate transaction which could allow them to modify or control the transmitted system credentials. This causes high impact on confidentiality, integrity and availability of the application.

Classification

CVE ID: CVE-2025-42982

CVSS Base Severity: HIGH

CVSS Base Score: 8.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Problem Types

CWE-862: Missing Authorization

Affected Products

Vendor: SAP_SE

Product: SAP GRC (AC Plugin)

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.05% (scored less or equal to compared to others)

EPSS Date: 2025-06-13 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-42982
https://me.sap.com/notes/3609271
https://url.sap/sapsecuritypatchday

Timeline

2025-06-10 03:40:13 UTC
CVE

Information Disclosure in SAP GRC (AC Plugin)