SB2025090603 - Multiple vulnerabilities in SAP S/4HANA

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) CRLF injection (CVE-ID: CVE-2025-42934)

The vulnerability allows a remote user to inject arbitrary data in server response.

The vulnerability exists due to insufficient validation of attacker-supplied data within the Supplier invoice feature. A remote user can pass specially crafted data to the application containing CR-LF characters and modify application behavior.

2) Path traversal (CVE-ID: CVE-2025-42946)

The vulnerability allows a remote user to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences within the Bank Communication Management component. A remote privileged user can send a specially crafted HTTP request and read arbitrary files on the system.

3) Code Injection (CVE-ID: CVE-2025-42957)

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation. A remote user can send a specially crafted request and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install update from vendor's website.

References

• https://support.sap.com/en/my-support/knowledge-base/security-notes-news/august-2025.html
• https://me.sap.com/notes/3616863
• https://me.sap.com/notes/3614804
• https://me.sap.com/notes/3627998