CVE-2025-42933 is a vulnerability identified in SAP Business One's System Landscape Directory (SLD) backend service, specifically impacting versions 10.0 of B1_ON_HANA and SAP-M-BO. The flaw arises because the SLD service fails to enforce proper encryption on certain APIs that handle user login via the SAP Business One native client. As a result, sensitive credentials are exposed in the HTTP response body in plaintext or insufficiently protected form. This exposure violates secure credential handling best practices and corresponds to CWE-522: Insufficiently Protected Credentials. The vulnerability allows an attacker with network access and low privileges to intercept or retrieve sensitive authentication data without requiring user interaction. The compromised credentials can lead to unauthorized access, data manipulation, and potential disruption of SAP Business One services, affecting confidentiality, integrity, and availability. The CVSS v3.1 base score of 8.8 reflects the high impact and ease of exploitation over the network. Although no exploits have been observed in the wild as of publication, the vulnerability represents a critical risk for organizations relying on SAP Business One for enterprise resource planning and business management. The lack of currently available patches necessitates interim mitigations such as network segmentation, encryption enforcement, and strict access controls to the SLD service endpoints.

The vulnerability exposes sensitive credentials, which can lead to unauthorized access to SAP Business One systems. This compromises the confidentiality of sensitive business data and user credentials, potentially allowing attackers to escalate privileges or move laterally within an organization's network. Integrity is at risk as attackers could manipulate business data or configurations within SAP Business One, leading to erroneous business operations or financial discrepancies. Availability may also be impacted if attackers disrupt SAP services or cause denial of service through unauthorized actions. Given SAP Business One's role in managing critical business processes, exploitation could result in significant operational disruption, financial loss, and reputational damage. Organizations with large SAP deployments or those handling sensitive financial and operational data are particularly vulnerable. The ease of exploitation over the network without user interaction increases the likelihood of targeted attacks, especially in environments with insufficient network segmentation or monitoring.

1. Apply official patches from SAP immediately once they become available to address the encryption enforcement flaw in the SLD backend service. 2. Until patches are released, enforce network-level encryption such as VPNs or TLS tunnels to protect communications between SAP Business One clients and the SLD service. 3. Restrict network access to the SLD service to trusted hosts and networks only, using firewalls and access control lists. 4. Monitor network traffic for unusual or unauthorized access patterns to the SLD service, employing intrusion detection/prevention systems. 5. Review and harden SAP Business One user privileges to minimize the impact of credential exposure. 6. Conduct regular security audits and credential rotation policies to limit the window of opportunity for attackers. 7. Educate administrators and users about the risks and signs of compromise related to SAP Business One credentials. 8. Implement multi-factor authentication (MFA) where possible to reduce the risk of credential misuse. 9. Maintain up-to-date backups of SAP Business One data to enable recovery in case of integrity or availability compromise.