CVE-2025-25243
HIGHSAP SRM MDM Catalog 7.52 - Unauthenticated Path Traversal via Public Servlet
Title source: llmDescription
SAP Supplier Relationship Management (Master Data Management Catalog) allows an unauthenticated attacker to use a publicly available servlet to download an arbitrary file over the network without any user interaction. This can reveal highly sensitive information with no impact to integrity or availability.
References (2)
Core 2
Core References
Vendor Advisory
https://me.sap.com/notes/3567551
Vendor Advisory
https://url.sap/sapsecuritypatchday
Scores
CVSS v3
8.6
EPSS
0.0026
EPSS Percentile
49.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (1)
SAP_SE/SAP Supplier Relationship Management (Master Data Management Catalog)
SRM_MDM_CAT 7.52
Published
Feb 11, 2025
Tracked Since
Feb 18, 2026