CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-25243: Path traversal vulnerability in SAP Supplier Relationship Management (Master Data Management Catalog)

8.6 CVSS

Description

SAP Supplier Relationship Management (Master Data Management Catalog) allows an unauthenticated attacker to use a publicly available servlet to download an arbitrary file over the network without any user interaction. This can reveal highly sensitive information with no impact to integrity or availability.

Classification

CVE ID: CVE-2025-25243

CVSS Base Severity: HIGH

CVSS Base Score: 8.6

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Affected Products

Vendor: SAP_SE

Product: SAP Supplier Relationship Management (Master Data Management Catalog)

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 13.11% (scored less or equal to compared to others)

EPSS Date: 2025-03-12 (when was this score calculated)

References

https://me.sap.com/notes/3567551
https://url.sap/sapsecuritypatchday

Timeline

2025-02-12 00:31:39 UTC
CVE

Path traversal vulnerability in SAP Supplier Relationship Management (Master Data Management Catalog)