CVE-2025-25243HIGH 8.6EPSS p47.0%

CVE-2025-25243CVE-2025-25243

Description

SAP Supplier Relationship Management (Master Data Management Catalog) allows an unauthenticated attacker to use a publicly available servlet to download an arbitrary file over the network without any user interaction. This can reveal highly sensitive information with no impact to integrity or availability.

Scoring

CVSS 3.18.6 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS0.67% probability of exploitation · percentile 47.0% · 2026-06-19T12:03:05Z
Published2025-02-11
Last modified2026-04-15

Underlying weaknesses· 1

CWE-22

References

  1. https://me.sap.com/notes/3567551
  2. https://url.sap/sapsecuritypatchday

1

TypeTargetConfidenceTier
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-42910
CVE
CVE-2025-42922
CVE
CVE-2025-43010
CVE
CVE-2025-42964
CVE
CVE-2025-0066
CVE
SAP NetWeaver Unrestricted File Upload Vulnerability
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.