CVE-2025-42965

Server Side Request Forgery(SSRF) vulnerability in SAP BusinessObjects BI Platform Central Management Console Promotion Management Application

CVSS 4.1 MEDIUMEPSS 0.2%CWE-918

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 4.1EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

08 Jul 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

SAP CMC Promotion Management allows an authenticated attacker to enumerate internal network systems by submitting crafted requests during job source configuration. By analysing response times for various IP addresses and ports, the attacker can infer valid network endpoints. Successful exploitation may lead to information disclosure. This vulnerability does not impact the integrity or availability of the application.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

Affected products

SAP_SE · SAP BusinessObjects BI Platform Central Management Console Promotion Management Application

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://me.sap.com/notes/3598118 https://url.sap/sapsecuritypatchday