cnvd - cnvd-2025-11405

CNVD-2025-11405

Vulnerability from cnvd - Published: 2025-06-03

Title

SAP Service Parts Management授权问题漏洞

Description

SAP Service Parts Management是德国思爱普（SAP）公司的一个面向售后服务的智能备件供应链解决方案。 SAP Service Parts Management存在授权问题漏洞，该漏洞源于缺少授权检查，目前没有详细的漏洞细节提供。

Severity

中

Patch Name

SAP Service Parts Management授权问题漏洞的补丁

Patch Description

SAP Service Parts Management是德国思爱普（SAP）公司的一个面向售后服务的智能备件供应链解决方案。 SAP Service Parts Management存在授权问题漏洞，该漏洞源于缺少授权检查，目前没有详细的漏洞细节提供。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级程序修复该安全问题，详情见厂商官网： https://support.sap.com/en/my-support/knowledge-base/security-notes-news/may-2025.html

Reference

https://nvd.nist.gov/vuln/detail/CVE-2025-43009

Impacted products

Name
SAP SAP Service Parts Management

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-43009",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-43009"
    }
  },
  "description": "SAP Service Parts Management\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u4e2a\u9762\u5411\u552e\u540e\u670d\u52a1\u7684\u667a\u80fd\u5907\u4ef6\u4f9b\u5e94\u94fe\u89e3\u51b3\u65b9\u6848\u3002\n\nSAP Service Parts Management\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f3a\u5c11\u6388\u6743\u68c0\u67e5\uff0c\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u7a0b\u5e8f\u4fee\u590d\u8be5\u5b89\u5168\u95ee\u9898\uff0c\u8be6\u60c5\u89c1\u5382\u5546\u5b98\u7f51\uff1a\r\nhttps://support.sap.com/en/my-support/knowledge-base/security-notes-news/may-2025.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-11405",
  "openTime": "2025-06-03",
  "patchDescription": "SAP Service Parts Management\u662f\u5fb7\u56fd\u601d\u7231\u666e\uff08SAP\uff09\u516c\u53f8\u7684\u4e00\u4e2a\u9762\u5411\u552e\u540e\u670d\u52a1\u7684\u667a\u80fd\u5907\u4ef6\u4f9b\u5e94\u94fe\u89e3\u51b3\u65b9\u6848\u3002\r\n\r\nSAP Service Parts Management\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f3a\u5c11\u6388\u6743\u68c0\u67e5\uff0c\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u7684\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "SAP Service Parts Management\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "SAP SAP Service Parts Management"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2025-43009",
  "serverity": "\u4e2d",
  "submitTime": "2025-05-30",
  "title": "SAP Service Parts Management\u6388\u6743\u95ee\u9898\u6f0f\u6d1e"
}

CVE-2025-43009 (GCVE-0-2025-43009)

Vulnerability from cvelistv5 – Published: 2025-05-13 00:19 – Updated: 2025-05-13 14:11

Summary

SAP Service Parts Management (SPM) does not perform necessary authorization checks for an authenticated user, allowing an attacker to escalate privileges. This has low impact on Confidentiality, integrity and availability of the application.

Severity ?

6.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE

CWE-862 - Missing Authorization

Assigner

sap

References

URL

Tags

	https://me.sap.com/notes/2491817
	https://url.sap/sapsecuritypatchday

Impacted products

	Vendor	Product	Version
	SAP_SE	SAP Service Parts Management (SPM)	Affected: SAP_APPL 600 Affected: 602 Affected: 603 Affected: 604 Affected: 605 Affected: 606 Affected: 616 Affected: 617 Affected: 618 Affected: S4CORE 100 Affected: 101 Affected: 102

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-43009",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-13T14:09:37.192975Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-13T14:11:47.930Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "SAP Service Parts Management (SPM)",
          "vendor": "SAP_SE",
          "versions": [
            {
              "status": "affected",
              "version": "SAP_APPL 600"
            },
            {
              "status": "affected",
              "version": "602"
            },
            {
              "status": "affected",
              "version": "603"
            },
            {
              "status": "affected",
              "version": "604"
            },
            {
              "status": "affected",
              "version": "605"
            },
            {
              "status": "affected",
              "version": "606"
            },
            {
              "status": "affected",
              "version": "616"
            },
            {
              "status": "affected",
              "version": "617"
            },
            {
              "status": "affected",
              "version": "618"
            },
            {
              "status": "affected",
              "version": "S4CORE 100"
            },
            {
              "status": "affected",
              "version": "101"
            },
            {
              "status": "affected",
              "version": "102"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eSAP Service Parts Management (SPM) does not perform necessary authorization checks for an authenticated user, allowing an attacker to escalate privileges. This has low impact on Confidentiality, integrity and availability of the application.\u003c/p\u003e"
            }
          ],
          "value": "SAP Service Parts Management (SPM) does not perform necessary authorization checks for an authenticated user, allowing an attacker to escalate privileges. This has low impact on Confidentiality, integrity and availability of the application."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862: Missing Authorization",
              "lang": "eng",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-13T00:19:41.795Z",
        "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
        "shortName": "sap"
      },
      "references": [
        {
          "url": "https://me.sap.com/notes/2491817"
        },
        {
          "url": "https://url.sap/sapsecuritypatchday"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Missing Authorization check in SAP Service Parts Management (SPM)",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd",
    "assignerShortName": "sap",
    "cveId": "CVE-2025-43009",
    "datePublished": "2025-05-13T00:19:41.795Z",
    "dateReserved": "2025-04-16T13:25:53.589Z",
    "dateUpdated": "2025-05-13T14:11:47.930Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2025-11405

CVE-2025-43009 (GCVE-0-2025-43009)

Tags

Sightings

Nomenclature