← back
CVE-2025-43010

Code injection vulnerability in SAP S/4HANA Cloud Private Edition or On Premise(SCM Master Data Layer (MDL))

CVSS 8.3 HIGHEPSS 0.4%CWE-94
Vexday Risk Score
21Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 8.3EPSS 0.4%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
13 May 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
SAP S/4HANA Cloud Private Edition or on Premise (SCM Master Data Layer (MDL)) allows an authenticated attacker with SAP standard authorization to execute a certain function module remotely and replace arbitrary ABAP programs, including SAP standard programs. This is due to lack of input validation and no authorization checks. This has low Confidentiality impact but high impact on integrity and availability to the application.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
Affected products
SAP_SE · SAP S/4HANA Cloud Private Edition or on Premise (SCM Master Data Layer (MDL))

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://me.sap.com/notes/3600859https://url.sap/sapsecuritypatchday