CVE Alert: CVE-2025-42933 – SAP_SE – SAP Business One (SLD)

Risk verdict

High risk: network-accessible backend API responses can disclose credentials, with high impact across confidentiality, integrity and availability; remediation should be prioritised even without confirmed exploitation.

Why this matters

Exposure of credentials in plaintext HTTP responses enables initial access and potential lateral movement if attackers harvest them at scale. The combination of network access, low privileges required and no user interaction lowers the barrier for exploitation, increasing the likelihood of a targeted data breach or credential stuffing-style abuse.

Most likely attack path

An external or internal attacker can reach the backend over the network, no user interaction required, and with only low privileges. A misconfigured encryption enforcement allows sensitive data to be returned in plaintext within API responses, enabling credential exposure without elevated access or exploits beyond the API. The broad scope remains unchanged, so resulting access may remain within the target application context.

Who is most exposed

Organizations running on-premises or hybrid deployments with the SLD backend exposed to client machines or partner networks are most at risk, particularly those relying on native clients for authentication and API access.

Detection ideas

• Alerts for plaintext credentials appearing in HTTP response bodies from the backend.
• Unusual, repetitive API responses containing sensitive fields (tokens, passwords, secrets).
• Network IDS/IPS rules flagging large outbound payloads containing credentials.
• WAF logs showing successful requests to sensitive endpoints with anomalous headers.
• Audit trails showing access from non-admin accounts to credential-related APIs.

Mitigation and prioritisation

• Apply available patches or upgrades that enforce proper API encryption; verify patch applicability to affected versions.
• If patching isn’t possible, implement compensating controls: segment network access to the backend, restrict to trusted hosts, enforce TLS in transit, and rotate credentials exposed by APIs.
• Enable strict access controls and least-privilege for clients contacting the backend; monitor and alert on credential exposure events.
• Change-management: test fixes in staging, plan phased rollout, update incident response playbooks.
• If KEV true or EPSS ≥ 0.5, treat as priority 1. Unknown KEV/EPSS; proceed with urgency but confirm values to reclassify accordingly.