Platform
sap
Component
sap-business-objects-business-intelligence-platform
Fixed in
430.0.1
2025.0.1
2027.0.1
CVE-2025-42988 describes a Server-Side Request Forgery (SSRF) vulnerability affecting SAP Business Objects Business Intelligence Platform. This vulnerability allows an unauthenticated attacker to enumerate HTTP endpoints within the internal network by crafting specific HTTP requests. While it doesn't directly impact data integrity or application availability, the endpoint enumeration can be a precursor to further exploitation and SSRF attacks. The vulnerability impacts versions of the platform up to and including Enterprise 430, with a fix available in version 430.0.1.
The primary impact of CVE-2025-42988 lies in the exposure of internal HTTP endpoints. An attacker can leverage this information to map the internal network architecture and identify potential targets for further attacks. While the vulnerability itself doesn't allow direct data exfiltration or modification, successful endpoint enumeration can be a stepping stone to SSRF attacks, potentially allowing access to internal services and resources that should be inaccessible from the outside. This could include accessing sensitive configuration files, internal APIs, or even other internal systems, depending on the services exposed on those endpoints. The lack of authentication required for this enumeration significantly broadens the attack surface.
CVE-2025-42988 was publicly disclosed on 2025-06-10. The CVSS score is LOW (3.7), indicating a relatively low probability of exploitation. No public proof-of-concept (PoC) code has been released as of this writing, but the vulnerability's nature makes it likely that PoCs will emerge. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.08% (23% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2025-42988 is to immediately upgrade to SAP Business Objects Business Intelligence Platform version 430.0.1 or later. If upgrading is not immediately feasible, consider implementing network segmentation to restrict access to internal services from the affected platform. Web Application Firewalls (WAFs) configured to detect and block suspicious HTTP requests targeting internal endpoints can provide an additional layer of defense. Monitor HTTP access logs for unusual patterns or requests originating from the platform that could indicate exploitation attempts. After upgrading, confirm the vulnerability is resolved by attempting to enumerate endpoints and verifying that the requests are blocked or return an error.
Apply the security updates provided by SAP for Business Objects Business Intelligence Platform. Consult SAP Note 3585545 for detailed information about the update and affected versions. Thorough testing in a staging environment is recommended before applying the update in production.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-42988 is a Server-Side Request Forgery (SSRF) vulnerability in SAP Business Objects Business Intelligence Platform allowing unauthenticated attackers to enumerate internal HTTP endpoints.
You are affected if you are running SAP Business Objects Business Intelligence Platform versions up to and including Enterprise 430.
Upgrade to SAP Business Objects Business Intelligence Platform version 430.0.1 or later. Consider network segmentation and WAF rules as interim measures.
There is no confirmed active exploitation as of the last update, but the vulnerability's nature suggests potential for future exploitation.
Refer to the official SAP Security Notes for details and updates regarding CVE-2025-42988. Check the SAP Support Portal for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.