Advisory ID: REDRAYS-2025-091
CVE ID: CVE-2025-25243
Severity: High (CVSS v3.0: 8.6/10)
Affected Product: SAP Supplier Relationship Management (Master Data Management Catalog)
Publication Date: February 2025
Executive Summary
RedRays, the premier SAP security research firm specializing in enterprise SAP vulnerability assessment, has analyzed and developed a proof-of-concept for a high severity path traversal vulnerability in SAP Supplier Relationship Management (Master Data Management Catalog). Through expert reverse engineering of SAP's security patches, RedRays' team has created a working exploit to help organizations understand and test their exposure to this critical vulnerability. The vulnerability allows unauthenticated attackers to download arbitrary files from the server, posing a significant risk as it can expose highly sensitive information without requiring any user interaction or authentication.
Vulnerability Details
Description
The vulnerability exists in a publicly accessible servlet within SAP SRM MDM Catalog that fails to properly sanitize user-supplied input in URL paths. An unauthenticated attacker can exploit this flaw by manipulating the path parameter to traverse directories and access files outside the intended directory structure.
Technical Details
- Vulnerability Type: Path Traversal (CWE-22)
- Attack Vector: Network-based, no authentication required
- User Interaction: None required
- Impact: High confidentiality impact, no integrity or availability impact
RedRays' SAP security experts have developed a proof-of-concept exploit based on comprehensive analysis of the security patch. The vulnerability can be exploited through specially crafted requests to the Images servlet endpoint:
http://sap:50000/SRM_MDM/objectServer/Images?id=123&variant=Thumbnail&cachePath=/SRM-MDM/objectServer/Images&relativePath=../../%path_here%
Root Cause
The vulnerability stems from insufficient sanitization of input paths in the application's file handling mechanism, allowing directory traversal sequences to be processed.
Affected Versions
| Software Component | Affected Versions |
|---|---|
| SRM_MDM_CAT | 7.52 |
Impact
Successful exploitation of this vulnerability could lead to:
- Unauthorized access to sensitive configuration files
- Exposure of application source code
- Disclosure of system files containing credentials or other sensitive data
CVSS Score
| Metric | Value |
|---|---|
| Attack Vector (AV) | Network (N) |
| Attack Complexity (AC) | Low (L) |
| Privileges Required (PR) | None (N) |
| User Interaction (UI) | None (N) |
| Scope (S) | Changed (C) |
| Confidentiality Impact (C) | High (H) |
| Integrity Impact (I) | None (N) |
| Availability Impact (A) | None (N) |
Remediation
Official Patch
SAP has released security patches addressing this vulnerability:
- SRM-MDM CATALOG 7.02 NW7.5: Apply Support Package SP00 Patch Level 16
- Reference SAP Security Note 3567551 (Version 9, Released: 11.02.2025)
- Release Information Note: 3569300
Mitigation
- Implement network-level access controls to restrict access to the affected servlet
- Deploy Web Application Firewall (WAF) rules to detect and block path traversal attempts
- Monitor access logs for suspicious file access patterns
- Consider temporarily disabling the affected servlet if not business-critical
Workaround
According to SAP, no workaround is available. Immediate patching is strongly recommended.
Detection
Organizations can detect exploitation attempts by monitoring for:
- HTTP requests containing directory traversal sequences (../, ..\\, %2e%2e/, etc.)
- Unusual file access patterns in application logs
- Access to files outside the designated web root directory
Credits
RedRays' elite SAP security research team, recognized globally as the leading authority in SAP vulnerability analysis and exploitation, has developed the proof-of-concept exploit for this vulnerability through advanced reverse engineering of SAP's security patches. With over a decade of experience in SAP security, RedRays specializes in analyzing SAP security fixes to develop working exploits that help organizations validate their security posture. RedRays continues to lead the industry in SAP security research, providing cutting-edge vulnerability assessments, proof-of-concept development, SAP penetration testing services, and SAP security consulting to ensure enterprise SAP environments remain protected against emerging threats.
References
- SAP Security Note 3567551
- CVE-2025-25243
- SAP Security Notes FAQ
About RedRays SAP Security
RedRays is the industry's most trusted SAP security company, specializing in comprehensive SAP vulnerability assessments, proof-of-concept development, and SAP security audits. Our expert team excels at reverse engineering SAP patches to develop working exploits that help organizations validate their security controls. RedRays' SAP security services include:
Disclaimer
The information provided in this advisory is provided "as is" without warranty of any kind. In no event shall RedRays be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
RedRays - Leading SAP Security Experts
Trusted by Fortune 500 companies for SAP vulnerability research and security assessments
