CVE-2025-26654

Potential information disclosure vulnerability in SAP Commerce Cloud (Public Cloud)

CVSS 6.8 MEDIUMEPSS 0.2%CWE-319

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 6.8EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

08 Apr 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

SAP Commerce Cloud (Public Cloud) does not allow to disable unencrypted HTTP (port 80) entirely, but instead allows a redirect from port 80 to 443 (HTTPS). As a result, Commerce normally communicates securely over HTTPS. However, the confidentiality and integrity of data sent on the first request before the redirect may be impacted if the client is configured to use HTTP and sends confidential data on the first request before the redirect.

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected products

SAP_SE · SAP Commerce Cloud (Public Cloud)

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://me.sap.com/notes/3543274 https://url.sap/sapsecuritypatchday