Session Management Flaw in SAP Business One Allows User Impersonation
CVE-2025-26658

6.8MEDIUM

Key Information:

Vendor: SAP
Status: SAP Business One (service Layer)
Vendor: CVE Published:; 11 March 2025

Summary

The Service Layer in SAP Business One contains a vulnerability that enables attackers to potentially gain unauthorized access and impersonate legitimate users within the application. This issue arises from improper session management practices, allowing attackers to elevate their privileges and execute unauthorized actions, including reading, modifying, and writing data. Although exploiting this vulnerability requires substantial effort to acquire authenticated sessions of other users, the potential impact significantly undermines the application's confidentiality and integrity.

Affected Version(s)

SAP Business One (Service Layer) B1_ON_HANA 10.0

SAP Business One (Service Layer) SAP-M-BO 10.0

References

https://me.sap.com/notes/3561045

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 11, 2025
Vulnerability Reserved
Feb 12, 2025