CVE-2025-26658 is a session fixation vulnerability classified under CWE-384 affecting the Service Layer component of SAP Business One, specifically versions B1_ON_HANA 10.0 and SAP-M-BO 10.0. The vulnerability arises from improper session management that allows an attacker to fixate a session identifier and subsequently hijack authenticated sessions of legitimate users. By doing so, attackers can impersonate other users within the application and perform unauthorized actions, including reading, modifying, or creating data. Although exploitation requires considerable time and effort, no user interaction is necessary, and the attacker needs at least low privileges to initiate the attack. The vulnerability primarily compromises confidentiality and integrity, with no impact on availability. The CVSS v3.1 base score is 6.8, reflecting a medium severity level due to the network attack vector, high impact on confidentiality and integrity, and the requirement for low privileges and high attack complexity. No patches or known exploits have been publicly disclosed as of the publication date (March 11, 2025). This vulnerability highlights weaknesses in session token handling within SAP Business One’s Service Layer, a critical interface for business operations and data management.

The exploitation of this vulnerability can lead to unauthorized access to sensitive business data and allow attackers to perform unauthorized transactions or modifications within SAP Business One. This can result in data breaches, financial fraud, and manipulation of business-critical information, undermining trust and compliance with regulatory requirements. Since SAP Business One is widely used by small and medium enterprises for ERP functions, the impact can disrupt business operations and lead to significant financial and reputational damage. The lack of availability impact means systems remain operational, potentially allowing prolonged undetected exploitation. Organizations with complex SAP deployments or those integrating SAP Business One with other systems face increased risk of lateral movement and broader compromise.

Organizations should immediately review and strengthen session management configurations in SAP Business One Service Layer. Although no official patches are currently available, administrators should enforce strict session timeout policies, regenerate session tokens upon authentication, and monitor for anomalous session activity. Implement network segmentation and restrict access to the Service Layer to trusted hosts and IP ranges. Employ multi-factor authentication (MFA) to reduce the risk of session hijacking. Regularly audit user privileges and limit permissions to the minimum necessary. Monitor logs for unusual access patterns and consider deploying web application firewalls (WAF) with custom rules to detect session fixation attempts. Stay updated with SAP security advisories for forthcoming patches and apply them promptly once released.