CWE
639
EPSS
0.027%
Advisory Published
Updated

CVE-2025-27436: Broken Access Control vulnerabilities in SAP S/4HANA (Manage Bank Statements)

First published: Tue Mar 11 2025(Updated: )

The Manage Bank Statements in SAP S/4HANA does not perform required access control checks for an authenticated user to confirm whether a request to interact with a resource is legitimate, allowing the attacker to delete the attachment of a posted bank statement. This leads to a low impact on integrity, with no impact on the confidentiality of the data or the availability of the application.

Credit: cna@sap.com

Affected SoftwareAffected VersionHow to fix
SAP S/4HANA Sales

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Frequently Asked Questions

  • What is the severity of CVE-2025-27436?

    The severity of CVE-2025-27436 is classified as low.

  • How do I fix CVE-2025-27436?

    To fix CVE-2025-27436, implement the recommended access control checks in your SAP S/4HANA system.

  • What are the potential impacts of CVE-2025-27436?

    CVE-2025-27436 allows an authenticated user to delete attachments of posted bank statements, which can disrupt financial processes.

  • Which software is affected by CVE-2025-27436?

    CVE-2025-27436 affects SAP S/4HANA.

  • Who can exploit CVE-2025-27436?

    Authenticated users with access to manage bank statements in SAP S/4HANA can exploit CVE-2025-27436.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203