CVE-2025-25245 Overview
CVE-2025-25245 affects the SAP BusinessObjects Business Intelligence Platform, specifically the Web Intelligence component. A deprecated web application endpoint remains exposed without adequate security controls. Attackers can inject a malicious URL into the data returned to the user, resulting in reflected content that executes in the victim's browser context [CWE-79].
Successful exploitation produces limited impact on confidentiality and integrity within the scope of the victim's browser session. Availability is not affected. The flaw requires user interaction, such as clicking a crafted link, and can be triggered over the network without authentication.
Critical Impact
Attackers can leverage the unsecured deprecated endpoint to deliver Cross-Site Scripting (XSS) payloads that compromise browser session data and manipulate rendered content for authenticated SAP BusinessObjects users.
Affected Products
- SAP BusinessObjects Business Intelligence Platform 430 (Enterprise)
- SAP BusinessObjects Business Intelligence Platform 2025
- Web Intelligence component (deprecated endpoint)
Discovery Timeline
- 2025-03-11 - CVE-2025-25245 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-25245
Vulnerability Analysis
The vulnerability resides in a deprecated web application endpoint within the Web Intelligence module of SAP BusinessObjects Business Intelligence Platform. The endpoint accepts user-supplied input that is subsequently reflected into HTTP responses without sufficient sanitization or output encoding.
Because the response is rendered by the victim's browser, an injected URL or script fragment executes within the security context of the SAP BusinessObjects domain. This constitutes a reflected Cross-Site Scripting (XSS) issue mapped to [CWE-79]. The scope is marked as changed, meaning the exploited component impacts resources beyond its own security authority — typical of browser-scoped XSS crossing trust boundaries.
The attack requires user interaction. A victim must load a crafted link, typically delivered via phishing or embedded within a trusted portal. No authentication is required to launch the attack, and the network attack vector allows remote exploitation.
Root Cause
The root cause is the continued exposure of a legacy endpoint that was not decommissioned or hardened. Input passed to this endpoint is echoed back to the client without proper contextual output encoding. Deprecated code paths often lack the input validation and Content Security Policy protections applied to actively maintained routes.
Attack Vector
An attacker crafts a URL pointing at the deprecated endpoint with a malicious payload embedded in a parameter. The victim is lured into clicking the link while authenticated to the SAP BusinessObjects portal. The server reflects the payload into the response, and the victim's browser executes the injected content, exposing session tokens, cookies, or rendered report data.
No verified exploit code is publicly available for CVE-2025-25245. Refer to SAP Note #3557469 for the vendor's technical details.
Detection Methods for CVE-2025-25245
Indicators of Compromise
- HTTP requests to deprecated Web Intelligence endpoints containing URL-encoded <script>, javascript:, or onerror= payloads in query parameters.
- Referrer headers originating from external domains pointing to internal SAP BusinessObjects report URLs.
- Unexpected outbound requests from user browsers to attacker-controlled domains shortly after loading BusinessObjects content.
Detection Strategies
- Deploy web application firewall (WAF) signatures that flag reflected XSS payload patterns targeting SAP BusinessObjects request paths.
- Enable verbose access logging on the BusinessObjects Web Application Container Server and review parameters passed to legacy Web Intelligence endpoints.
- Correlate authentication events with anomalous browser-side JavaScript execution reported by endpoint telemetry.
Monitoring Recommendations
- Alert on requests to deprecated Web Intelligence URIs that should no longer receive traffic in modern deployments.
- Monitor for spikes in 200-status responses containing reflected user input on BusinessObjects front-end servers.
- Track user-reported phishing links referencing internal SAP BusinessObjects hostnames.
How to Mitigate CVE-2025-25245
Immediate Actions Required
- Apply the SAP Security Patch Day fixes referenced in SAP Note #3557469 to affected BusinessObjects deployments.
- Inventory all SAP BusinessObjects Business Intelligence Platform 430 and 2025 installations to confirm patch coverage.
- Disable the deprecated Web Intelligence endpoint at the reverse proxy or web tier if patching cannot be performed immediately.
Patch Information
SAP released fixes as part of its Security Patch Day process. Administrators should review the SAP Security Patch Day portal and apply the update described in SAP Note #3557469. Verify installation by confirming build numbers reported in the Central Management Console after patch deployment.
Workarounds
- Block requests to the deprecated Web Intelligence endpoint using a WAF or reverse proxy rule until patching is complete.
- Enforce a strict Content Security Policy on BusinessObjects front-end services to limit inline script execution.
- Train users to avoid clicking BusinessObjects links delivered from untrusted sources and to validate URLs before authenticating.
# Example nginx rule to block requests to the deprecated endpoint pending patch
location ~* /BOE/.*deprecated_webi_endpoint {
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

