CVE-2025-25244

11.03.2025, 01:15

SAP Business Warehouse (Process Chains) allows an attacker to manipulate the process execution due to missing authorization check. An attacker with display authorization for the process chain object could set one or all processes to be skipped. This means corresponding activities, such as data loading, activation, or deletion, will not be executed as initially modeled. This could lead to unexpected results in business reporting leading to a significant impact on integrity. However, there is no impact on confidentiality or availability.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.7 MEDIUM	ADJACENT_NETWORK	LOW	LOW	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
sap	CNA	5.7 MEDIUM	ADJACENT_NETWORK	LOW	LOW	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CISA-ADP	ADP	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 14%

Common Weakness Enumeration

CWE-862 - Missing Authorization
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.

References

https://me.sap.com/notes/3552144

https://url.sap/sapsecuritypatchday