CVE-2025-0061

High

Published: 14 January 2025

Published

14 January 2025

Modified

24 October 2025

KEV Added

—

Patch

—

CVSS Score 8.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

EPSS Score 0.0015 35.8th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

SAP BusinessObjects Business Intelligence Platform allows an unauthenticated attacker to perform session hijacking over the network without any user interaction, due to an information disclosure vulnerability. Attacker can access and modify all the data of the application.

Security Summary

CVE-2025-0061 is an information disclosure vulnerability (CWE-497) affecting the SAP BusinessObjects Business Intelligence Platform. Published on 2025-01-14, it carries a CVSS v3.1 base score of 8.7 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N). The issue enables unauthenticated attackers to perform session hijacking over the network without any user interaction by disclosing sensitive session information.

An unauthenticated attacker with network access can exploit this vulnerability, which requires high attack complexity. Upon successful session hijacking, the attacker gains the ability to access and modify all data within the application, compromising confidentiality and integrity across a changed scope.

SAP provides mitigation details in security note 3474398 at https://me.sap.com/notes/3474398 and on the SAP Security Patch Day page at https://url.sap/sapsecuritypatchday. Security practitioners should consult these resources for patch availability and recommended remediation steps.

Details

CWE(s): CWE-497

Affected Products

sap

businessobjects business intelligence platform

2025, 420, 430

References

https://me.sap.com/notes/3474398
Permissions Required · cna@sap.com
https://url.sap/sapsecuritypatchday
Patch · cna@sap.com