CVE-2025-26654
📋 TL;DR
SAP Commerce Cloud (Public Cloud) has a vulnerability where HTTP port 80 cannot be fully disabled, only redirected to HTTPS port 443. This exposes the first client request before redirection to potential interception if confidential data is transmitted over HTTP. All SAP Commerce Cloud Public Cloud deployments using the default configuration are affected.
💻 Affected Systems
- SAP Commerce Cloud (Public Cloud)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers intercept sensitive data (credentials, payment info, PII) transmitted in the initial HTTP request before HTTPS redirection occurs.
Likely Case
Limited data exposure for users who manually type HTTP URLs or use misconfigured clients, potentially exposing session tokens or form data.
If Mitigated
Minimal impact if clients are properly configured to use HTTPS by default and no sensitive data is sent before redirect.
🎯 Exploit Status
Exploitation requires network position to intercept HTTP traffic and clients sending sensitive data before HTTPS redirect.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply SAP Note 3543274
Vendor Advisory: https://me.sap.com/notes/3543274
Restart Required: Yes
Instructions:
1. Access SAP Support Portal
2. Download and apply SAP Note 3543274
3. Restart SAP Commerce Cloud services
4. Verify HTTP port 80 behavior is corrected
🔧 Temporary Workarounds
Configure Load Balancer/Proxy
allUse external load balancer or proxy to block/redirect HTTP traffic before reaching SAP Commerce Cloud
Client-Side HTTPS Enforcement
allConfigure all clients to use HTTPS URLs exclusively and disable HTTP fallback
🧯 If You Can't Patch
- Implement network-level filtering to block HTTP port 80 traffic at firewall
- Deploy WAF/IPS to detect and block sensitive data transmission over HTTP
🔍 How to Verify
Check if Vulnerable:
Test if HTTP port 80 accepts connections and redirects to HTTPS instead of being disabledCheck Version:
Check SAP Commerce Cloud version and applied SAP notes via administration consoleVerify Fix Applied:
Verify HTTP port 80 is properly disabled or secured after applying SAP Note 3543274📡 Detection & Monitoring
Log Indicators:
- HTTP requests on port 80 containing sensitive parameters
- Failed HTTPS redirect attempts
Network Indicators:
- Cleartext HTTP traffic to SAP Commerce Cloud containing sensitive data
- HTTP POST/PUT requests before 302 redirect
SIEM Query:
source_port:80 AND destination_ip:[SAP_SERVER] AND (http.method:POST OR http.method:PUT) AND NOT http.response_code:302