CVE-2025-42897

Vulnerability

Overview

CVE-2025-42897 is an information disclosure vulnerability found in the anonymous API provided by SAP Business One (SLD). The root cause is that the SLD service exposes certain data through an anonymous endpoint without proper access control checks, allowing users with only normal (low) privileges to query and retrieve information that should be restricted to higher-privilege roles. [1]

Exploitation

Conditions

An attacker must have a valid normal user account on the SAP Business One system to exploit this vulnerability. No additional network access beyond normal application interaction is required, and the attacker does not need any special privileges beyond their existing user context. The vulnerability is triggered by sending crafted requests to the vulnerable SLD anonymous API endpoint. [1]

Impact

Successful exploitation enables the attacker to read unauthorized information from the application, limited to confidentiality only. The official description notes low impact on confidentiality, with no impact on integrity or availability. The CVSS v3 base score is 5.3 (Medium), reflecting the limited but tangible information leak. [1]

Mitigation

SAP has released security patches as part of its regular Security Patch Day. Customers are advised to apply the corresponding SAP Security Note in SAP for Me. Administrators should prioritize deployment of the patch, especially for installations where the SLD service is exposed to a wider user base. [1]