CVE-2025-42897 is a vulnerability classified under CWE-522 (Insufficiently Protected Credentials) found in the SAP Business One System Landscape Directory (SLD) component, specifically affecting versions B1_ON_HANA 10.0 and SAP-M-BO 10.0. The flaw arises from an information disclosure issue in an anonymous API endpoint, which allows an attacker possessing normal user-level access to retrieve unauthorized information. This vulnerability does not require user interaction and can be exploited remotely over the network with low attack complexity. The impact is limited to confidentiality, as the attacker can gain access to sensitive data but cannot alter or disrupt system integrity or availability. The CVSS v3.1 base score is 5.3, reflecting a medium severity level due to the vulnerability's ease of exploitation (network vector, no privileges required) but limited impact scope. No known exploits have been reported in the wild, and SAP has not yet published patches or mitigation guidance. The vulnerability highlights a weakness in how credentials or sensitive information are protected within the anonymous API, potentially exposing business-critical data to unauthorized users. Organizations using SAP Business One 10.0 should assess their exposure and implement compensating controls until official patches are available.

For European organizations, this vulnerability poses a risk of unauthorized disclosure of sensitive business information managed within SAP Business One environments. While the impact is limited to confidentiality and does not affect system integrity or availability, the exposure of credentials or sensitive configuration data could facilitate further attacks or data breaches. Industries such as manufacturing, retail, and professional services that rely heavily on SAP Business One for ERP functions may face risks related to intellectual property theft, compliance violations (e.g., GDPR), and reputational damage. The medium severity score indicates that while the threat is not critical, it should not be ignored, especially in environments where SAP Business One is integrated with other critical business systems. The lack of known exploits reduces immediate risk but also means organizations must proactively monitor and prepare for potential exploitation attempts. Failure to address this vulnerability could lead to unauthorized data access, undermining trust and potentially triggering regulatory scrutiny in Europe.

1. Restrict network access to the SAP Business One SLD anonymous API by implementing strict firewall rules and network segmentation to limit exposure to trusted users and systems only. 2. Enforce strong authentication and authorization controls around SAP Business One components, ensuring that anonymous or low-privilege access is minimized or disabled where possible. 3. Monitor logs and network traffic for unusual or unauthorized access attempts to the SLD API, employing anomaly detection tools to identify potential exploitation. 4. Engage with SAP support channels to obtain official patches or security advisories as soon as they are released and apply them promptly. 5. Conduct regular security assessments and penetration tests focusing on SAP Business One environments to identify and remediate similar weaknesses. 6. Educate system administrators and security teams about this vulnerability and the importance of protecting API endpoints, especially those that are anonymous or publicly accessible. 7. Consider deploying Web Application Firewalls (WAFs) or API gateways with strict access policies to add an additional layer of defense around SAP APIs.