Information Disclosure Vulnerability in SAP CMC Promotion Management
CVE-2025-42965

4.1MEDIUM

Key Information:

Vendor: SAP
Status: SAP Businessobjects Bi Platform Central Management Console Promotion Management Application
Vendor: CVE Published:; 8 July 2025

What is CVE-2025-42965?

The vulnerability in SAP CMC Promotion Management enables authenticated attackers to enumerate internal network systems by crafting specific requests during job source configuration. By analyzing the response times associated with various IP addresses and network ports, attackers can discern valid endpoints within the network. This may lead to the unintended disclosure of sensitive information, posing a significant risk to an organization's security posture. It is important to note that this vulnerability does not affect the integrity or availability of the application.

Affected Version(s)

SAP BusinessObjects BI Platform Central Management Console Promotion Management Application ENTERPRISE 430

SAP BusinessObjects BI Platform Central Management Console Promotion Management Application 2025

SAP BusinessObjects BI Platform Central Management Console Promotion Management Application 2027

References

https://me.sap.com/notes/3598118

https://url.sap/sapsecuritypatchday

CVSS V3.1

Score:

4.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 8, 2025
Vulnerability Reserved
Apr 16, 2025