Insufficient Encryption in SAP Business One Client by SAP
CVE-2025-42933

8.8HIGH

Key Information:

Vendor: SAP
Status: SAP Business One (sld)
Vendor: CVE Published:; 9 September 2025

What is CVE-2025-42933?

A security flaw exists in the SAP Business One native client where the SLD backend service does not enforce proper encryption for specific APIs during user login. This deficiency allows sensitive user credentials to be exposed within the HTTP response body, significantly compromising the confidentiality and integrity of the application. Organizations using affected versions must take immediate action to mitigate risks associated with this vulnerability.

Affected Version(s)

SAP Business One (SLD) B1_ON_HANA 10.0

SAP Business One (SLD) SAP-M-BO 10.0

References

https://me.sap.com/notes/3642961

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 9, 2025
Vulnerability Reserved
Apr 16, 2025