Introduction
Malicious file uploads in enterprise procurement systems have led to data breaches and operational disruption across multiple industries. SAP Supplier Relationship Management (SRM) is widely used by large organizations to manage procurement and supplier workflows, making vulnerabilities in this platform especially impactful.
About SAP and SRM: SAP SE is the world's largest provider of enterprise application software, serving over 400,000 customers globally. SAP SRM is a core procurement solution, integrated with backend ERP systems and used by organizations in manufacturing, healthcare, finance, and government. Vulnerabilities in SAP SRM can have cascading effects on supply chains and business operations worldwide.
Technical Information
CVE-2025-42910 is a critical vulnerability in SAP SRM's file upload functionality. The issue is due to missing verification of file type or content when users upload files. Specifically, the application does not perform adequate server-side checks to confirm that uploaded files are of an expected and safe type. This allows authenticated attackers to upload arbitrary files, including executables or scripts, which could later be downloaded and executed by users or processed by the system.
- Vulnerability class: CWE-434 (Unrestricted Upload of File with Dangerous Type) (CWE-434)
- Attack vector: Authenticated attacker uploads a malicious file (such as an executable or script) via SRM's file upload feature. The system fails to validate the file's type or content, allowing the upload to succeed. The file may be executed if a user downloads and runs it, or if server-side processes handle the file insecurely.
- Root cause: Lack of robust server-side validation of file type and content. Reliance on file extension or client-side checks is insufficient, as these can be easily bypassed.
- Impact: Successful exploitation can compromise confidentiality, integrity, and availability. Attackers may deploy malware, establish persistence, or exfiltrate sensitive procurement data.
No public code snippets or detailed proof of concept are available for this vulnerability as of October 2025.
Affected Systems and Versions
- Product: SAP Supplier Relationship Management (SRM)
- Version details: The vulnerability is referenced in SAP Security Note 3647332 and was addressed in the September 2025 SAP Security Patch Day. Specific affected version numbers have not been published in public sources, but the issue is present in supported SRM releases prior to the September 2025 patch. Organizations should consult the official SAP security note for precise version information and patch applicability (SAP Note 3647332).
- Configuration: Exploitation requires an authenticated user account with access to file upload functionality. There is no evidence that the vulnerability is limited to specific deployment scenarios or configurations.
Vendor Security History
SAP has experienced several critical vulnerabilities in 2025, including:
- CVE-2025-42922: Arbitrary file upload in SAP NetWeaver AS Java (September 2025)
- CVE-2025-31324: File upload vulnerability in SAP NetWeaver Visual Composer, actively exploited in the wild (April 2025)
- CVE-2025-30012: Deserialization vulnerability in SAP SRM (May 2025)
SAP typically releases security patches on a monthly schedule and provides detailed security notes for each vulnerability. The recurrence of file upload and deserialization issues indicates ongoing challenges in secure development and testing.