CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-43009: Missing Authorization check in SAP Service Parts Management (SPM)

6.3 CVSS

Description

SAP Service Parts Management (SPM) does not perform necessary authorization checks for an authenticated user, allowing an attacker to escalate privileges. This has low impact on Confidentiality, integrity and availability of the application.

Classification

CVE ID: CVE-2025-43009

CVSS Base Severity: MEDIUM

CVSS Base Score: 6.3

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Problem Types

CWE-862: Missing Authorization

Affected Products

Vendor: SAP_SE

Product: SAP Service Parts Management (SPM)

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 10.63% (scored less or equal to compared to others)

EPSS Date: 2025-06-11 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: partial

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2025-43009
https://me.sap.com/notes/2491817
https://url.sap/sapsecuritypatchday

Timeline

2025-05-13 15:40:21 UTC
CVE

Missing Authorization check in SAP Service Parts Management (SPM)