Analysis Summary

CVE-2025-27430 CVSS: 3.5

A Server-Side Request Forgery (SSRF) vulnerability exists in SAP CRM and SAP S/4HANA (Interaction Centre) that can be triggered by a low-privileged attacker. This security weakness allows the attacker to access restricted information by sending requests to internal network resources. The vulnerability specifically impacts the confidentiality of the application, with no additional consequences to system integrity or availability.

CVE-2025-27431 CVSS: 5.4

User management functionality in SAP NetWeaver Application Server Java is vulnerable to Stored Cross-Site Scripting (XSS). This could enable an malicious user to inject malicious payload that gets stored and executed when a user accesses the functionality, hence leading to information disclosure or unauthorized data modifications within the scope of victim�s browser. There is no impact on availability.

CVE-2025-27432 CVSS: 2.4

An authentication vulnerability exists in SAP Electronic Invoicing for Brazil's eDocument Cockpit (Inbound NF-e). An authenticated attacker with specific privileges can gain unauthorized access to transaction details. By executing a particular ABAP method within the ABAP system, the attacker can call and view inbound delivery details. The vulnerability has a low impact on confidentiality and does not affect the system's integrity or availability.

CVE-2025-27433 CVSS: 4.3

A vulnerability exists in the Manage Bank Statements feature of SAP S/4HANA that enables an authenticated attacker to bypass application functionality restrictions and upload files to a reversed bank statement. This security issue has minimal impact on the application, specifically presenting a low risk to the system's integrity without compromising confidentiality or availability of the application.

CVE-2025-27434 CVSS: 8.8

A Cross Site Scripting (XSS) vulnerability exists in SAP Commerce (Swagger UI) due to insufficient input validation. An unauthenticated attacker can inject malicious code from remote sources, potentially executing a cross-site scripting attack. This vulnerability could have a high impact on the confidentiality, integrity, and availability of data within the SAP Commerce system.

CVE-2025-27436 CVSS: 4.3

A vulnerability exists in the Manage Bank Statements feature of SAP S/4HANA where access control checks are not properly implemented. An authenticated user can abuse this weakness to delete attachments from posted bank statements without appropriate authorization. The security issue has a low impact on system integrity and does not affect data confidentiality or application availability.

Impact

• Cross-Site Scripting
• Gain Access
• Privilege Escalation

Indicators of Compromise

CVE

• CVE-2025-27430

• CVE-2025-27431

• CVE-2025-27432

• CVE-2025-27433

• CVE-2025-27434

• CVE-2025-27436

Affected Vendors

Remediation

Refer to SAP Website for patch, upgrade, or suggested workaround information.

SAP Website