CVE-2023-25617

CRITICAL

SAP Business Objects BI Platform 4.2/4.3 - Authenticated RCE via Program Object

Title source: llm

Description

SAP Business Object (Adaptive Job Server) - versions 420, 430, allows remote execution of arbitrary commands on Unix, when program objects execution is enabled, to authenticated users with scheduling rights, using the BI Launchpad, Central Management Console or a custom application based on the public java SDK. Programs could impact the confidentiality, integrity and availability of the system.

References (2)

Core 2

Core References

Permissions Required

https://launchpad.support.sap.com/#/notes/3283438

Vendor Advisory

https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Scores

CVSS v3 9.0

EPSS 0.0175

EPSS Percentile 82.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (2)

sap/business_objects_business_intelligence_platform 420

sap/business_objects_business_intelligence_platform 430

Published Mar 14, 2023

Tracked Since Feb 18, 2026