CVE-2025-42897
📋 TL;DR
This CVE describes an information disclosure vulnerability in SAP Business One's anonymous API within the SLD component. Attackers with normal user access can access unauthorized information, affecting confidentiality but not integrity or availability. Organizations running vulnerable SAP Business One versions are affected.
💻 Affected Systems
- SAP Business One
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could access sensitive business data, customer information, or internal system details through the vulnerable API endpoint.
Likely Case
Internal users with standard access could inadvertently or intentionally access information beyond their authorization level, potentially exposing business-sensitive data.
If Mitigated
With proper access controls and network segmentation, impact is limited to minimal information leakage within authorized user groups.
🎯 Exploit Status
Exploitation requires authenticated access but appears straightforward based on the CWE-522 (Insufficiently Protected Credentials) classification and CVSS score.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to SAP Note 3652901 for specific patch versions
Vendor Advisory: https://me.sap.com/notes/3652901
Restart Required: Yes
Instructions:
1. Review SAP Note 3652901 for affected versions and patches. 2. Apply the relevant SAP security patch for your SAP Business One version. 3. Restart the SAP Business One service/application. 4. Verify the patch application through version checking.
🔧 Temporary Workarounds
Restrict Anonymous API Access
windowsDisable or restrict access to the anonymous API in SLD component if not required for business operations
Configuration through SAP Business One administration console; specific commands depend on deployment
Network Segmentation
allIsolate SAP Business One systems from general user networks and implement strict firewall rules
Firewall rules to restrict access to SAP Business One ports (typically 30000-30099 for SAP B1)
🧯 If You Can't Patch
- Implement strict access controls and principle of least privilege for all SAP Business One users
- Monitor and audit access to SAP Business One anonymous API endpoints for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check SAP Business One version against affected versions listed in SAP Note 3652901Check Version:
Check through SAP Business One administration tools or consult SAP documentation for version checkingVerify Fix Applied:
Verify patch application through SAP Business One version check and confirm anonymous API no longer discloses unauthorized information📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to anonymous API endpoints
- Multiple failed authentication attempts followed by successful anonymous API access
Network Indicators:
- Abnormal traffic to SAP Business One SLD component ports
- Repeated API calls to anonymous endpoints from single sources
SIEM Query:
source="sap_business_one" AND (event_type="api_access" AND endpoint="anonymous") AND user!="authorized_user"