CVE-2025-42910 | THREATINT

Description

Due to missing verification of file type or content, SAP Supplier Relationship Management allows an authenticated attacker to upload arbitrary files. These files could include executables which might be downloaded and executed by the user which could host malware. On successful exploitation an attacker could cause high impact on confidentiality, integrity and availability of the application.

PUBLISHED Reserved 2025-04-16 | Published 2025-10-14 | Updated 2025-10-14 | Assigner sap

CRITICAL: 9.0CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Problem types

CWE-434: Unrestricted Upload of File with Dangerous Type

Product status

Default status

unaffected

SRMNXP01 100

affected

150

affected

References

me.sap.com/notes/3647332

url.sap/sapsecuritypatchday

cve.org (CVE-2025-42910)

nvd.nist.gov (CVE-2025-42910)

Download JSON