CVE-2025-51533 is a security vulnerability classified as an Insecure Direct Object Reference (IDOR) found in Sage DPW version 2024.12.003. IDOR vulnerabilities occur when an application exposes internal implementation objects such as files, database records, or keys directly to users without proper authorization checks. In this case, unauthorized attackers can exploit the vulnerability by sending a specially crafted GET request to access internal forms that should otherwise be restricted. This unauthorized access does not require any authentication or user interaction, making exploitation relatively straightforward. The vulnerability affects the confidentiality of data by allowing attackers to view sensitive internal forms, but it does not impact data integrity or availability. The vendor has addressed this issue in the Halbjahresversion 2024_12_004 update. The CVSS v3.1 base score is 5.3, indicating a medium severity level, with the vector string CVSS:3.1/AC:L/AV:N/A:N/C:L/I:N/PR:N/S:U/UI:N, which means the attack complexity is low, the attack vector is network-based, no privileges or user interaction are required, and the impact is limited to a low confidentiality loss without affecting integrity or availability. There are no known exploits in the wild at the time of publication, and no specific CWE identifiers were assigned. The vulnerability was reserved in June 2025 and published in August 2025.

For European organizations using Sage DPW 2024.12.003, this vulnerability poses a risk of unauthorized disclosure of internal forms, which may contain sensitive business or personal information. Such exposure could lead to information leakage, potentially aiding further targeted attacks or causing compliance issues under regulations like GDPR if personal data is involved. Although the vulnerability does not allow modification or destruction of data, the confidentiality breach alone can damage organizational reputation and trust. The ease of exploitation without authentication increases the risk, especially for organizations with externally accessible Sage DPW instances. However, since there are no known exploits in the wild and the issue is fixed in a subsequent version, the immediate risk is moderate. Organizations that delay patching remain vulnerable to opportunistic attackers scanning for this weakness.

European organizations should promptly upgrade Sage DPW to the Halbjahresversion 2024_12_004 or later, which contains the fix for this IDOR vulnerability. Until the patch is applied, organizations should restrict external access to the affected Sage DPW instance using network-level controls such as firewalls or VPNs to limit exposure. Implementing strict access control policies and monitoring HTTP requests for unusual GET requests targeting internal forms can help detect exploitation attempts. Additionally, conducting a thorough audit of exposed internal forms and reviewing logs for unauthorized access patterns is recommended. Organizations should also ensure that their incident response plans include procedures for handling data exposure incidents related to this vulnerability. Finally, raising user awareness about the importance of timely patching and maintaining up-to-date software versions is critical to reducing risk.