CVE-2025-42951 Overview
CVE-2025-42951 is a broken authorization vulnerability in SAP Business One's System Landscape Directory (SLD) component. An authenticated attacker can invoke a specific API to gain administrator privileges over a backend database. The flaw is classified as [CWE-863: Incorrect Authorization] and impacts the confidentiality, integrity, and availability of the affected application.
The vulnerability is exploitable over the network with low attack complexity and only low-privilege authentication required. Successful exploitation allows an attacker to elevate from a standard authenticated user to database administrator, enabling full control of stored data.
Critical Impact
Authenticated attackers can escalate to database administrator privileges in SAP Business One (SLD), compromising confidentiality, integrity, and availability of the application data.
Affected Products
- SAP Business One — System Landscape Directory (SLD) component
- Refer to SAP Note #3625403 for the complete list of affected versions
- SAP Security Patch Day (August 2025) advisory for patched releases
Discovery Timeline
- 2025-08-12 - CVE-2025-42951 published to the National Vulnerability Database (NVD)
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-42951
Vulnerability Analysis
The vulnerability resides in the System Landscape Directory (SLD) of SAP Business One. The SLD component manages metadata and configuration for connected company databases. One or more SLD API endpoints fail to correctly enforce authorization checks on the calling principal.
An authenticated user with limited privileges can invoke an administrative API and receive elevated database administrator rights. This breaks the intended privilege separation between standard operator roles and database administrators. The flaw is purely server-side and requires no user interaction.
The vulnerability falls under broken access control rather than authentication. The application validates that the caller is logged in but does not verify that the caller is authorized to perform the requested administrative action.
Root Cause
The root cause is incorrect authorization logic ([CWE-863]) in an SLD API handler. The endpoint accepts requests from any authenticated session and acts on them without re-validating role membership or required permissions against the target resource. This is a classic missing function-level authorization defect.
Attack Vector
Exploitation requires network access to the SLD service and valid credentials of any authenticated user. The attacker sends a crafted API request to the vulnerable endpoint targeting a company database. The server processes the request as if it originated from a privileged administrator and grants the attacker administrative control of that database.
No verified public proof-of-concept code is available for this issue. Refer to the SAP Note #3625403 for vendor-provided technical details and remediation guidance.
Detection Methods for CVE-2025-42951
Indicators of Compromise
- Unexpected SLD API calls to administrative endpoints originating from non-administrative user accounts
- New or modified database administrator accounts in SAP Business One company databases without a corresponding change ticket
- Authentication sessions from low-privilege users immediately followed by privileged database actions
- Outbound database connections using newly granted administrator credentials
Detection Strategies
- Enable verbose audit logging on the SLD service and forward authentication and authorization events to a central log platform
- Correlate SLD API request logs with user role assignments to surface privilege mismatches
- Baseline normal SLD administrative API usage and alert on deviations from expected source accounts or hosts
- Monitor SAP Business One database for unauthorized creation or modification of users in administrative roles
Monitoring Recommendations
- Forward SAP Business One and SLD logs to your SIEM or data lake for retention and correlation
- Alert on any administrative SLD API invocation that originates from an account not on an approved administrator list
- Track database role grants and revocations as a dedicated high-priority detection rule
- Review access logs after applying the patch to identify any prior abuse of the vulnerable endpoint
How to Mitigate CVE-2025-42951
Immediate Actions Required
- Apply the SAP security patch referenced in SAP Note #3625403 without delay
- Restrict network access to the SLD service to trusted administrative networks only
- Audit all SAP Business One database administrator accounts and remove any that are unexpected
- Rotate credentials for accounts that may have been exposed if signs of exploitation are present
Patch Information
SAP addressed CVE-2025-42951 as part of the SAP Security Patch Day program. Customers must consult SAP Note #3625403 for the specific patched component versions and apply the update to all SAP Business One installations running the SLD component.
Workarounds
- Limit SLD API exposure to a hardened management network segment using firewall rules
- Reduce the number of authenticated SAP Business One users until the patch is applied
- Increase audit logging and review SLD API activity daily until remediation is complete
- Enforce strong multi-factor authentication on all accounts that can reach the SLD service
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
