Forwarded by Taiwan Computer Network Crisis Response and Coordination Center (TWCERTCC-200-202508-00000009)

[Description]
[CVE-2025-42957, CVSS: 9.9] This vulnerability exists in SAP S/4HANA and SAP SCM Characteristic Propagation. It allows an attacker with user privileges to exploit a vulnerability in an RFC-exposed function module to inject arbitrary ABAP code into the system, thereby bypassing necessary authorization checks.

[CVE-2025-42950, CVSS: 9.9] This vulnerability exists in SAP Landscape Transformation (SLT). It allows an attacker with user privileges to exploit a vulnerability in an RFC-exposed function module to inject arbitrary ABAP code into the system, thereby bypassing necessary authorization checks.

[CVE-2025-42951, CVSS: 8.8] An authorization vulnerability in SAP Business One (SLD) allows an authenticated attacker to gain database administrator privileges by calling the corresponding API.

[Affected Platforms]
● SAP S/4HANA (Private Cloud or On-Premise) S4CORE versions 102, 103, 104, 105, 106, 107, and 108
● SAP Landscape Transformation (Analysis Platform) DMIS versions 2011_1_700, 2011_1_710, 2011_1_730, 2011_1_731, 2011_1_752, and 2020
● SAP Business One (SLD) B1_ON_HANA 10.0, SAP-M-BO 10.0 Version

[Recommended Action]
Patch according to the solution released on the official website:

https://support.sap.com/en/my-support/knowledge-base/security-notes-news/august-2025.html

[Reference]

https://www.twcert.org.tw/tw/cp-169-10324-fd8bf-1.html