CVE-2025-24875

The vulnerability identified in CVE-2025-24875 concerns the default cookie configuration in SAP Commerce. Specifically, the application sets certain cookies — including authentication cookies used by the SAP Commerce Backoffice — with the SameSite attribute configured to None (SameSite=None) [1]. This setting reduces the browser's built-in defense-in-depth against Cross-Site Request Forgery (CSRF) attacks because it allows the cookie to be sent in cross-site requests [1].

To exploit this weakness, an attacker would need to lure an authenticated Backoffice user into visiting a malicious site, which could then trigger unintended cross-site requests using the user's active session. The prerequisite is that the victim must be logged into SAP Commerce Backoffice; no additional authentication is required from the attacker beyond crafting the malicious page [1].

The impact is an increased risk of CSRF attacks that could perform state-changing operations on behalf of the authenticated user without their consent. While this does not directly lead to data breach, it undermines the security posture of the Backoffice by removing a modern browser-enforced CSRF mitigation [1].

SAP has addressed this issue as part of its regular Security Patch Day. Customers are advised to review and apply the relevant SAP Security Notes to correct the cookie configuration. No evidence of active exploitation in the wild has been reported at the time of publication [1].