OS Command Injection in SAP Business Connector (CVE-2025-42892)
CVE-2025-42892 Published on November 11, 2025

OS Command Injection vulnerability in SAP Business Connector
Due to an OS Command Injection vulnerability in SAP Business Connector, an authenticated attacker with administrative access and adjacent network access could upload specially crafted content to the server. If processed by the application, this content enables execution of arbitrary operating system commands. Successful exploitation could lead to full compromise of the systems confidentiality, integrity, and availability.

NVD

Vulnerability Analysis

Attack Vector:
ADJACENT_NETWORK
Attack Complexity:
LOW
Privileges Required:
HIGH
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Type

What is a Shell injection Vulnerability?

The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVE-2025-42892 has been classified to as a Shell injection vulnerability or weakness.


Products Associated with CVE-2025-42892

Want to know whenever a new CVE is published for Sap Business Connector? stack.watch will email you.

Sap Business Connector
 

Affected Versions

SAP_SE SAP Business Connector Version SAP BC 4.8 is affected by CVE-2025-42892

Exploit Probability

EPSS
0.22%
Percentile
44.47%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.