CVE-2025-42993: Missing Authorization Check in SAP S/4HANA (Enterprise Event Enablement)
Description
Due to a missing authorization check vulnerability in SAP S/4HANA (Enterprise Event Enablement), an attacker with access to the Inbound Binding Configuration could create an RFC destination and assign an arbitrary high-privilege user. This allows the attacker to consume events via the RFC destination, leading to code execution under the privileges of the assigned high-privilege user. While the vulnerability has a low impact on Availability, it significantly poses a high risk to both Confidentiality and Integrity.
Classification
CVE ID: CVE-2025-42993
CVSS Base Severity: MEDIUM
CVSS Base Score: 6.7
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
Problem Types
CWE-862: Missing AuthorizationAffected Products
Vendor: SAP_SE
Product: SAP S/4HANA (Enterprise Event Enablement)
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.06% (probability of being exploited)
EPSS Percentile: 18.06% (scored less or equal to compared to others)
EPSS Date: 2025-06-13 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2025-42993https://me.sap.com/notes/3580384
https://url.sap/sapsecuritypatchday