CVE-2025-24875
📋 TL;DR
SAP Commerce sets authentication cookies with SameSite=None by default, making them vulnerable to cross-site request forgery (CSRF) attacks. This affects all SAP Commerce deployments using default cookie settings, potentially allowing attackers to perform unauthorized actions as authenticated users.
💻 Affected Systems
- SAP Commerce
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could perform administrative actions in SAP Commerce Backoffice, modify user data, change configurations, or execute unauthorized transactions as authenticated users.
Likely Case
Attackers could trick authenticated users into performing unintended actions like changing their profile information, making purchases, or modifying preferences.
If Mitigated
With proper SameSite attribute configuration and CSRF protections, the risk is significantly reduced to minimal impact.
🎯 Exploit Status
Exploitation requires user interaction and knowledge of target application endpoints. Standard CSRF attack patterns apply.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply SAP Note 3555364
Vendor Advisory: https://me.sap.com/notes/3555364
Restart Required: Yes
Instructions:
1. Download and apply SAP Note 3555364. 2. Configure cookies with SameSite=Strict or SameSite=Lax. 3. Restart SAP Commerce services. 4. Verify cookie attributes are properly set.
🔧 Temporary Workarounds
Configure SameSite Attribute
allManually configure SAP Commerce cookies to use SameSite=Strict or SameSite=Lax instead of None
Modify SAP Commerce configuration files to set cookie.sameSite=Strict or cookie.sameSite=Lax
Implement CSRF Tokens
allAdd CSRF token validation to all state-changing requests in SAP Commerce
Implement anti-CSRF tokens in web application forms and API endpoints
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to detect and block CSRF attempts
- Use browser security headers like Content-Security-Policy and implement referrer validation
🔍 How to Verify
Check if Vulnerable:
Inspect browser developer tools to check if SAP Commerce authentication cookies have SameSite=None attributeCheck Version:
Check SAP Commerce version through administration console or review patch application statusVerify Fix Applied:
Verify cookies now have SameSite=Strict or SameSite=Lax attribute and CSRF tokens are implemented📡 Detection & Monitoring
Log Indicators:
- Multiple failed state-changing requests from same user
- Unusual administrative actions from non-admin users
Network Indicators:
- Requests with missing or invalid CSRF tokens
- Cross-origin requests to sensitive endpoints
SIEM Query:
source="sap-commerce" AND (action="modify" OR action="delete" OR action="create") AND referrer NOT CONTAINS "expected-domain"