Analysis Summary

CVE-2025-25243 CVSS:8.6

SAP Supplier Relationship Management (Master Data Management Catalog) allows an unauthenticated attacker to use a publicly available servlet to download an arbitrary file over the network without any user interaction. This can reveal highly sensitive information with no impact to integrity or availability.

CVE-2025-24875 CVSS:6.8

SAP Commerce, by default, sets certain cookies with the SameSite attribute configured to None (SameSite=None). This includes authentication cookies utilized in SAP Commerce Backoffice. Applying this setting reduces defense in depth against CSRF and may lead to future compatibility issues.

CVE-2025-24874 CVSS:6.8

SAP Commerce (Backoffice) uses the deprecated X-FRAME-OPTIONS header to protect against clickjacking. While this protection remains effective now, it may not be the case in the future as browsers might discontinue support for this header in favor of the frame-ancestors CSP directive. Hence, clickjacking could become possible then, and lead to exposure and modification of sensitive information.

CVE-2025-24872 CVSS:4.3

The ABAP Build Framework in SAP ABAP Platform allows an authenticated attacker to gain unauthorized access to a specific transaction. By executing the add-on build functionality within the ABAP Build Framework, an attacker could call the transaction and view its details. This has a limited impact on the confidentiality of the application with no effect on the integrity and availability of the application.

CVE-2025-24870 CVSS:6

SAP GUI for Windows & RFC service credentials are incorrectly stored in the memory of the program allowing an unauthenticated attacker to access information within systems, resulting in privilege escalation. On successful exploitation, this could result in disclosure of highly sensitive information. This has no impact on integrity, and availability.

CVE-2025-24869 CVSS:4.3

SAP NetWeaver Application Server Java allows an attacker to access an endpoint that can disclose information about deployed server components, including their XML definitions. This information should ideally be restricted to customer administrators, even though they may not need it. These XML files are not entirely SAP-internal as they are deployed with the server. In such a scenario, sensitive information could be exposed without compromising its integrity or availability.

CVE-2025-0064 CVSS:8.7

Under specific conditions, the Central Management Console of the SAP BusinessObjects Business Intelligence platform allows an attacker with admin rights to generate or retrieve a secret passphrase, enabling them to impersonate any user in the system. This results in a high impact on confidentiality and integrity, with no impact on availability.

CVE-2025-0054 CVSS:5.4

SAP NetWeaver Application Server Java does not sufficiently handle user input, resulting in a stored cross-site scripting vulnerability. The application allows attackers with basic user privileges to store a Javascript payload on the server, which could be later executed in the victim's web browser. With this the attacker might be able to read or modify information associated with the vulnerable web page.

Impact

• Gain Access
• Security Bypass
• Privilege Escalation
• Cross-Site Scripting
• Information Disclosure

Indicators of Compromise

CVE

• CVE-2025-25243

• CVE-2025-24875

• CVE-2025-24874

• CVE-2025-24872

• CVE-2025-24870

• CVE-2025-24869

• CVE-2025-0064

• CVE-2025-0054

Affected Vendors

Remediation

Refer to SAP Website for patch, upgrade, or suggested workaround information. (Login Required)

CVE-2025-25243

CVE-2025-24875

CVE-2025-24874

CVE-2025-24872

CVE-2025-24870

CVE-2025-24869

CVE-2025-0064

CVE-2025-0054