CVE-2025-27430 - Vulnerability Details - OpenCVE

Under certain conditions, an SSRF vulnerability in SAP CRM and SAP S/4HANA (Interaction Center) allows an attacker with low privileges to access restricted information. This flaw enables the attacker to send requests to internal network resources, thereby compromising the application's confidentiality. There is no impact on integrity or availability

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00032.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

No data.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://me.sap.com/notes/3561861
https://url.sap/sapsecuritypatchday

History

Fri, 11 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00034}`	epss `{'score': 0.00044}`

Tue, 11 Mar 2025 02:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 11 Mar 2025 01:00:00 +0000

Type	Values Removed	Values Added
Description		Under certain conditions, an SSRF vulnerability in SAP CRM and SAP S/4HANA (Interaction Center) allows an attacker with low privileges to access restricted information. This flaw enables the attacker to send requests to internal network resources, thereby compromising the application's confidentiality. There is no impact on integrity or availability
Title		Server Side Request Forgery (SSRF) in SAP CRM and SAP S/4 HANA (Interaction Center)
Weaknesses		CWE-918
References		https://me.sap.com/notes/3561861 https://url.sap/sapsecuritypatchday
Metrics		cvssV3_1 `{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N'}`

MITRE

Status: PUBLISHED

Assigner: sap

Published: 2025-03-11T00:37:24.590Z

Updated: 2025-03-11T02:06:54.297Z

Reserved: 2025-02-25T09:29:51.244Z

Link: CVE-2025-27430

Vulnrichment

Updated: 2025-03-11T02:06:50.763Z

NVD

Status : Received

Published: 2025-03-11T01:15:36.157

Modified: 2025-03-11T01:15:36.157

Link: CVE-2025-27430

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-27430", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "state": "PUBLISHED", "assignerShortName": "sap", "dateReserved": "2025-02-25T09:29:51.244Z", "datePublished": "2025-03-11T00:37:24.590Z", "dateUpdated": "2025-03-11T02:06:54.297Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "SAP CRM and SAP S/4HANA (Interaction Center)", "vendor": "SAP_SE", "versions": [{"status": "affected", "version": "S4CRM 100"}, {"status": "affected", "version": "200"}, {"status": "affected", "version": "204"}, {"status": "affected", "version": "205"}, {"status": "affected", "version": "206"}, {"status": "affected", "version": "S4FND 102"}, {"status": "affected", "version": "103"}, {"status": "affected", "version": "104"}, {"status": "affected", "version": "105"}, {"status": "affected", "version": "106"}, {"status": "affected", "version": "107"}, {"status": "affected", "version": "108"}, {"status": "affected", "version": "S4CEXT 107"}, {"status": "affected", "version": "BBPCRM 701"}, {"status": "affected", "version": "702"}, {"status": "affected", "version": "712"}, {"status": "affected", "version": "713"}, {"status": "affected", "version": "714"}, {"status": "affected", "version": "WEBCUIF 701"}, {"status": "affected", "version": "731"}, {"status": "affected", "version": "746"}, {"status": "affected", "version": "747"}, {"status": "affected", "version": "748"}, {"status": "affected", "version": "800"}, {"status": "affected", "version": "801"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Under certain conditions, an SSRF vulnerability in SAP CRM and SAP S/4HANA (Interaction Center) allows an attacker with low privileges to access restricted information. This flaw enables the attacker to send requests to internal network resources, thereby compromising the application's confidentiality. There is no impact on integrity or availability</p>"}], "value": "Under certain conditions, an SSRF vulnerability in SAP CRM and SAP S/4HANA (Interaction Center) allows an attacker with low privileges to access restricted information. This flaw enables the attacker to send requests to internal network resources, thereby compromising the application's confidentiality. There is no impact on integrity or availability"}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "lang": "eng", "type": "CWE"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2025-03-11T00:37:24.590Z"}, "references": [{"url": "https://me.sap.com/notes/3561861"}, {"url": "https://url.sap/sapsecuritypatchday"}], "source": {"discovery": "UNKNOWN"}, "title": "Server Side Request Forgery (SSRF) in SAP CRM and SAP S/4 HANA (Interaction Center)", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-11T02:06:37.325274Z", "id": "CVE-2025-27430", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-11T02:06:54.297Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-27430", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-11T02:06:37.325274Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-11T02:06:50.763Z"}}], "cna": {"title": "Server Side Request Forgery (SSRF) in SAP CRM and SAP S/4 HANA (Interaction Center)", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SAP_SE", "product": "SAP CRM and SAP S/4HANA (Interaction Center)", "versions": [{"status": "affected", "version": "S4CRM 100"}, {"status": "affected", "version": "200"}, {"status": "affected", "version": "204"}, {"status": "affected", "version": "205"}, {"status": "affected", "version": "206"}, {"status": "affected", "version": "S4FND 102"}, {"status": "affected", "version": "103"}, {"status": "affected", "version": "104"}, {"status": "affected", "version": "105"}, {"status": "affected", "version": "106"}, {"status": "affected", "version": "107"}, {"status": "affected", "version": "108"}, {"status": "affected", "version": "S4CEXT 107"}, {"status": "affected", "version": "BBPCRM 701"}, {"status": "affected", "version": "702"}, {"status": "affected", "version": "712"}, {"status": "affected", "version": "713"}, {"status": "affected", "version": "714"}, {"status": "affected", "version": "WEBCUIF 701"}, {"status": "affected", "version": "731"}, {"status": "affected", "version": "746"}, {"status": "affected", "version": "747"}, {"status": "affected", "version": "748"}, {"status": "affected", "version": "800"}, {"status": "affected", "version": "801"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://me.sap.com/notes/3561861"}, {"url": "https://url.sap/sapsecuritypatchday"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Under certain conditions, an SSRF vulnerability in SAP CRM and SAP S/4HANA (Interaction Center) allows an attacker with low privileges to access restricted information. This flaw enables the attacker to send requests to internal network resources, thereby compromising the application's confidentiality. There is no impact on integrity or availability", "supportingMedia": [{"type": "text/html", "value": "<p>Under certain conditions, an SSRF vulnerability in SAP CRM and SAP S/4HANA (Interaction Center) allows an attacker with low privileges to access restricted information. This flaw enables the attacker to send requests to internal network resources, thereby compromising the application's confidentiality. There is no impact on integrity or availability</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "eng", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap", "dateUpdated": "2025-03-11T00:37:24.590Z"}}}, "cveMetadata": {"cveId": "CVE-2025-27430", "state": "PUBLISHED", "dateUpdated": "2025-03-11T02:06:54.297Z", "dateReserved": "2025-02-25T09:29:51.244Z", "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "datePublished": "2025-03-11T00:37:24.590Z", "assignerShortName": "sap"}, "dataVersion": "5.1"}