Missing Authorization Check Vulnerability in SAP S/4 HANA Private Cloud by SAP
CVE-2025-42876

7.1HIGH

Key Information:

Vendor: SAP
Status: SAP S/4 Hana Private Cloud (financials General Ledger)
Vendor: CVE Published:; 9 December 2025

What is CVE-2025-42876?

The vulnerability exposes SAP S/4 HANA Private Cloud to risks where an authenticated attacker, limited to a specific company code, can illicitly access sensitive data and manipulate documents across all company codes. This could severely compromise data confidentiality while maintaining the integrity of the system and having no effect on availability.

Affected Version(s)

SAP S/4 HANA Private Cloud (Financials General Ledger) S4CORE 104

SAP S/4 HANA Private Cloud (Financials General Ledger) 105

SAP S/4 HANA Private Cloud (Financials General Ledger) 106

References

https://me.sap.com/notes/3672151

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 9, 2025
Vulnerability Reserved
Apr 16, 2025

JSON