Introduction
Exposure of sensitive credentials in enterprise resource planning systems can lead to unauthorized access, data manipulation, and operational disruption. SAP Business One, a widely used ERP platform for small and midsize businesses, is affected by a high-severity vulnerability (CVE-2025-42933) in its System Landscape Directory (SLD) component. This flaw allows credentials to be exposed in HTTP responses due to insufficient encryption enforcement during native client authentication.
About SAP and SAP Business One: SAP is a global leader in enterprise software, serving over 400,000 organizations across industries. SAP Business One is a core ERP product designed for small and midsize enterprises, managing financials, inventory, and operations. The SLD component is central to authentication and system management within SAP Business One deployments.
Technical Information
CVE-2025-42933 is classified under CWE-522 (Insufficiently Protected Credentials). The vulnerability arises when a user logs in through the SAP Business One native client. The SLD backend service fails to enforce proper encryption on certain API endpoints, resulting in sensitive credentials being included in the HTTP response body. This exposure can occur if the response is transmitted in plaintext or with inadequate cryptographic protection, making it susceptible to interception by attackers with network access.
The SLD is responsible for authentication, database connectivity, and system configuration. According to SAP's administrative documentation, communication with the SLD should use HTTPS with certificate-based authentication. However, the flaw in CVE-2025-42933 indicates that not all API flows adhere to this standard, leading to credential leakage. No public code snippets or detailed exploit information are available for this vulnerability.
Affected Systems and Versions
- Product: SAP Business One
- Component: System Landscape Directory (SLD)
- Affected versions: Not explicitly listed in public sources. Organizations should refer to SAP Security Note 3642961 for exact version details and patch applicability.
- Vulnerable configuration: Systems where users authenticate via the native SAP Business One client and SLD backend APIs are exposed.
Vendor Security History
SAP has a documented history of authentication and authorization vulnerabilities in Business One and related products. Notably, CVE-2025-42951 also affects the SLD component, allowing authorization bypass. Other recent vulnerabilities in SAP Business One include improper access control, missing authentication, and information disclosure issues. SAP maintains a monthly patch cycle and has improved response times, but the recurrence of critical flaws in authentication infrastructure highlights ongoing security challenges.