CVE-2025-27436

The Manage Bank Statements in SAP S/4HANA does not perform required access control checks for an authenticated user to confirm whether a request to interact with a resource is legitimate, allowing the attacker to delete the attachment of a posted bank statement. This leads to a low impact on integrity, with no impact on the confidentiality of the data or the availability of the application.

CVSS v3 4.3 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://me.sap.com/notes/3565835
https://url.sap/sapsecuritypatchday

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) La función de gestión de extractos bancarios en SAP S/4HANA no realiza las comprobaciones de control de acceso necesarias para que un usuario autenticado confirme si una solicitud de interacción con un recurso es legítima, lo que permite al atacante eliminar el archivo adjunto de un extracto bancario publicado. Esto genera un impacto bajo en la integridad, sin impacto en la confidencialidad de los datos o la disponibilidad de la aplicación.

11 Mar 2025, 01:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-11 01:15

Updated : 2026-04-15 00:35

NVD link : CVE-2025-27436

Mitre link : CVE-2025-27436

CVE.ORG link : CVE-2025-27436

JSON object : View

Products Affected

No product.

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

4.3 /10