CVE-2025-0064

High

Published: 11 February 2025

Published

11 February 2025

Modified

23 October 2025

KEV Added

—

Patch

—

CVSS Score 8.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

EPSS Score 0.0006 17.9th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

Under specific conditions, the Central Management Console of the SAP BusinessObjects Business Intelligence platform allows an attacker with admin rights to generate or retrieve a secret passphrase, enabling them to impersonate any user in the system. This results in a high impact on confidentiality and integrity, with no impact on availability.

Security Summary

CVE-2025-0064 is a vulnerability in the Central Management Console of the SAP BusinessObjects Business Intelligence platform. Under specific conditions, an attacker with administrative rights can generate or retrieve a secret passphrase, which enables them to impersonate any user in the system. This issue, linked to CWE-732 (Incorrect Permission Assignment for Critical Resource), carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N), reflecting high impacts on confidentiality and integrity with no availability disruption.

Exploitation requires an attacker to possess administrative privileges on the affected system, allowing network-based access with low complexity and no user interaction. Successful exploitation grants the ability to impersonate any user, potentially leading to unauthorized access to sensitive data and manipulation of system configurations or reports.

SAP advisories, including security note 3525794 and details from the SAP Security Patch Day, provide guidance on mitigation, such as applying available patches to address the vulnerability in the Central Management Console.

Details

CWE(s): CWE-732

Affected Products

sap

businessobjects business intelligence platform

2025, 430

References

https://me.sap.com/notes/3525794
Permissions Required · cna@sap.com
https://url.sap/sapsecuritypatchday
Patch · cna@sap.com