CVE-2024-25646 – CVE-2024-25646 is an information disclosure vul... (How to Fix)

Q: What is the severity of CVE-2024-25646?

CVE-2024-25646 has a CVSS score of 7.7 (HIGH). CVE-2024-25646 is an information disclosure vulnerability in SAP BusinessObjects Business Intelligence Launch Pad where improper validation allows authenticated attackers to access operating system information via crafted documents. This affects organizations using vulnerable versions of SAP BusinessObjects, potentially exposing sensitive system configuration details.

📋 TL;DR

CVE-2024-25646 is an information disclosure vulnerability in SAP BusinessObjects Business Intelligence Launch Pad where improper validation allows authenticated attackers to access operating system information via crafted documents. This affects organizations using vulnerable versions of SAP BusinessObjects, potentially exposing sensitive system configuration details.

💻 Affected Systems

Products:

SAP BusinessObjects Business Intelligence Launch Pad

Versions: Specific versions not detailed in references; consult SAP Note 3421384 for exact affected versions.

Operating Systems: All supported OS for SAP BusinessObjects

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to the Business Intelligence Launch Pad application.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could map internal network architecture, identify vulnerable systems, and gather intelligence for further attacks, potentially leading to full system compromise.

🟠

Likely Case

Unauthorized access to operating system details that could be used for reconnaissance and targeted attacks against the SAP environment.

🟢

If Mitigated

Limited exposure with proper network segmentation and access controls, though system information could still be leaked to authenticated users.

🌐 Internet-Facing: HIGH if exposed to internet, as authenticated attackers could exploit from anywhere.

🏢 Internal Only: MEDIUM as it requires authenticated access but could be exploited by malicious insiders or compromised accounts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access and ability to upload or craft documents within the application.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply SAP Security Note 3421384

Vendor Advisory: https://me.sap.com/notes/3421384

Restart Required: Yes

Instructions:

1. Download SAP Note 3421384 from SAP Support Portal. 2. Apply the security patch following SAP's standard patching procedures. 3. Restart affected SAP BusinessObjects services. 4. Verify the patch is applied correctly.

🔧 Temporary Workarounds

Restrict Document Uploads

all

Limit document upload capabilities to trusted users only and implement strict validation on uploaded files.

Network Segmentation

all

Isolate SAP BusinessObjects systems from sensitive network segments to limit impact of information disclosure.

🧯 If You Can't Patch

Implement strict access controls to limit authenticated users who can upload documents.
Monitor for unusual document upload activities and access to system information within the application.

🔍 How to Verify

Check if Vulnerable:

Check if SAP Security Note 3421384 is applied in your SAP BusinessObjects system via transaction SNOTE or by consulting system administrators.

Check Version:

Check SAP BusinessObjects version via Central Management Console or consult system documentation.

Verify Fix Applied:

Verify patch application through SAP Note 3421384 status and test that crafted documents no longer reveal operating system information.

📡 Detection & Monitoring

Log Indicators:

Unusual document upload activities
Access to system information queries
Failed attempts to exploit the vulnerability

Network Indicators:

Suspicious requests to document processing endpoints
Unusual outbound data transfers from SAP systems

SIEM Query:

source="sap_businessobjects" AND (event="document_upload" OR event="system_info_access")

📊 Metadata

CVE ID: CVE-2024-25646

CVSS v3 Score: 7.7 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CWE: CWE-732

Published: April 9, 2024

Last Updated: October 29, 2025

🔗 References

https://me.sap.com/notes/3421384 Permissions Required
https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364 Patch
https://me.sap.com/notes/3421384 Permissions Required
https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html?anchorId=section_370125364 Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-25646, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Businessobjects Web Intelligence by Sap

Businessobjects Web Intelligence by Sap

Businessobjects Web Intelligence by Sap

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict Document Uploads

Network Segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities