Introduction
Privilege escalation to database administrator in a business-critical ERP system can enable attackers to manipulate financial records, exfiltrate sensitive data, or disrupt operations. CVE-2025-42951 is a newly disclosed vulnerability in SAP Business One's System Landscape Directory (SLD) that allows authenticated users to bypass authorization and gain administrative database privileges via specific API calls.
About SAP and SAP Business One: SAP SE is one of the largest enterprise software vendors globally, with a customer base spanning over 400,000 organizations. SAP Business One is its flagship ERP solution for small and midsize enterprises, managing core business functions such as finance, inventory, and sales. The System Landscape Directory (SLD) is a central component responsible for managing system configuration and database connectivity within SAP Business One deployments.
Technical Information
CVE-2025-42951 is classified under CWE-863 (Incorrect Authorization). The vulnerability exists in the SLD component of SAP Business One, where certain API endpoints do not properly enforce authorization checks. When an authenticated user sends requests to these endpoints, the SLD fails to verify whether the user has the necessary privileges to perform administrative database actions. As a result, any authenticated user with network access to the SLD API can escalate their privileges to database administrator.
The SLD is responsible for maintaining configuration and connectivity information for SAP Business One systems. Administrative database functions within the SLD should be restricted to users with explicit administrator roles. In this case, the authorization logic is either missing or incorrectly implemented, allowing privilege escalation through API misuse. No public code snippets or PoC are available for this vulnerability.
The attack requires:
- Valid authentication credentials for SAP Business One
- Network access to the SLD API endpoints
No information is available about specific API paths or request formats. The vulnerability is not exploitable by unauthenticated users.
Affected Systems and Versions
- Product: SAP Business One (System Landscape Directory component)
- Specific affected versions are not disclosed in public sources as of this writing
- All SAP Business One deployments with SLD enabled and accessible to authenticated users are potentially at risk
Vendor Security History
SAP has a history of authorization and authentication vulnerabilities in Business One:
- CVE-2023-31403: Improper access control in SAP Business One allowed unauthorized SMB share access
- CVE-2022-28771: Missing authentication in License service API
SAP issues monthly security updates and has improved its patch response time. However, recurring authorization flaws in Business One highlight ongoing challenges in access control implementation.