CVE-2025-42897 is a medium-severity vulnerability classified under CWE-522 (Insufficiently Protected Credentials) affecting SAP Business One (SLD) versions B1_ON_HANA 10.0 and SAP-M-BO 10.0. The flaw arises from an information disclosure issue in an anonymous API endpoint, which allows an attacker possessing normal user access to retrieve unauthorized information. This vulnerability does not require elevated privileges or user interaction, making it relatively easy to exploit remotely over the network. The impact is limited to confidentiality, with no effect on data integrity or system availability. The vulnerability was reserved in April 2025 and published in November 2025, with no patches currently available. SAP Business One is widely used for enterprise resource planning in small to medium-sized businesses, and the SLD (System Landscape Directory) component manages system and service information. Exposure of sensitive credentials or configuration data through this API could facilitate further attacks or data breaches. Although no exploits are known in the wild, the vulnerability demands attention due to the sensitive nature of the information potentially disclosed and the broad deployment of SAP Business One in various industries.

For European organizations, the confidentiality breach could lead to unauthorized disclosure of sensitive business information, including credentials or configuration details that may be leveraged for lateral movement or further exploitation. While the vulnerability does not directly affect integrity or availability, the leaked information could indirectly facilitate more severe attacks. Industries such as manufacturing, retail, and professional services that rely heavily on SAP Business One for operational management are particularly at risk. The exposure could undermine trust, lead to regulatory compliance issues under GDPR due to potential data leaks, and cause financial and reputational damage. Since the vulnerability requires only normal user access, insider threats or compromised user accounts could be exploited to gain unauthorized information. The lack of patches increases the urgency for organizations to implement compensating controls to protect sensitive data within SAP environments.

Until official patches are released by SAP, European organizations should implement strict access controls limiting normal user permissions to the minimum necessary. Monitor and audit API usage logs for unusual or unauthorized access patterns to the SLD anonymous API. Employ network segmentation to isolate SAP Business One components and restrict access to trusted hosts and users only. Use encryption for sensitive data in transit and at rest to reduce the impact of any information disclosure. Conduct regular credential audits and rotate credentials associated with SAP Business One services. Engage with SAP support and subscribe to security advisories for timely patch deployment once available. Additionally, consider deploying Web Application Firewalls (WAFs) or API gateways to detect and block suspicious API requests targeting the vulnerable endpoints. Train staff to recognize and report suspicious activities related to SAP system access.