SAP S/4 HANA: Authenticated User Can Configure Unauthorized Field in Custom UI
CVE-2025-43003 Published on May 13, 2025
Information Disclosure vulnerability in SAP S/4HANA (Private Cloud & On-Premise)
SAP S/4 HANA allows an authenticated attacker with user privileges to configure a field not intended for their access and create a custom UI layout displaying this field. On performing this step the attacker could gain access to highly sensitive information. This could cause a high impact on confidentiality and minimal impact on integrity and availability of the application.
Vulnerability Analysis
CVE-2025-43003 can be exploited with network access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Type
Exposed Dangerous Method or Function
The software provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.
Products Associated with CVE-2025-43003
Want to know whenever a new CVE is published for SAP S4 Hana? stack.watch will email you.
Affected Versions
SAP_SE SAP S/4HANA (Private Cloud & On-Premise):- Version S4CRM 204 is affected.
- Version 205 is affected.
- Version 206 is affected.
- Version S4CEXT 107 is affected.
- Version 108 is affected.
- Version BBPCRM 702 is affected.
- Version 712 is affected.
- Version 713 is affected.
- Version 714 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.