CVE-2025-25243
📋 TL;DR
CVE-2025-25243 is an unauthenticated arbitrary file download vulnerability in SAP Supplier Relationship Management's Master Data Management Catalog. An attacker can exploit a publicly available servlet to download any file from the system without authentication, potentially exposing sensitive configuration files, credentials, or business data. All organizations running vulnerable SAP SRM MDM Catalog versions are affected.
💻 Affected Systems
- SAP Supplier Relationship Management (SRM)
- SAP Master Data Management (MDM) Catalog
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through extraction of configuration files containing database credentials, encryption keys, or administrative passwords, leading to further attacks on connected systems.
Likely Case
Exfiltration of sensitive business data, customer information, or internal documents stored in accessible file paths, resulting in data breach and regulatory compliance violations.
If Mitigated
Limited exposure of non-sensitive files if proper file system permissions and network segmentation are implemented, though vulnerability still exists.
🎯 Exploit Status
Exploitation requires only network access to the vulnerable servlet endpoint and knowledge of file paths to download. No authentication or user interaction needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply SAP Security Note 3567551
Vendor Advisory: https://me.sap.com/notes/3567551
Restart Required: No
Instructions:
1. Download SAP Note 3567551 from the SAP Support Portal. 2. Apply the correction instructions provided in the note. 3. Verify the servlet is no longer accessible or properly secured.
🔧 Temporary Workarounds
Network Access Control
allRestrict network access to the vulnerable servlet endpoint using firewall rules or network segmentation
Servlet Disablement
SAPDisable or remove the vulnerable servlet if not required for business operations
🧯 If You Can't Patch
- Implement strict network segmentation to isolate SAP SRM systems from untrusted networks
- Deploy web application firewall (WAF) rules to block requests to the vulnerable servlet endpoint
🔍 How to Verify
Check if Vulnerable:
Attempt to access the vulnerable servlet endpoint via HTTP request and check if file download is possible without authenticationCheck Version:
Check SAP system version via transaction code SM51 or consult SAP Note 3567551 for specific version requirementsVerify Fix Applied:
After applying SAP Note 3567551, verify the servlet endpoint no longer allows unauthenticated file downloads📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns via servlet endpoints
- Multiple failed or successful file download attempts from single IPs
- Access to sensitive file paths via web requests
Network Indicators:
- HTTP requests to known vulnerable servlet endpoints
- Unusual outbound data transfers following servlet access
SIEM Query:
source="sap_logs" AND (uri CONTAINS "/servlet/path" OR action="file_download") AND user="anonymous"