CVE-2025-42965

Summary

SAP CMC Promotion Management allows an authenticated attacker to enumerate internal network systems by submitting crafted requests during job source configuration. By analysing response times for various IP addresses and ports, the attacker can infer valid network endpoints. Successful exploitation may lead to information disclosure. This vulnerability does not impact the integrity or availability of the application.

Affected Software

VendorProductVersion RangeStatus
SAP_SESAP BusinessObjects BI Platform Central Management Console Promotion Management ApplicationENTERPRISE 430affected
SAP_SESAP BusinessObjects BI Platform Central Management Console Promotion Management Application2025affected
SAP_SESAP BusinessObjects BI Platform Central Management Console Promotion Management Application2027affected

Weaknesses

  • CWE-918: CWE-918: Server-Side Request Forgery

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References